cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
qp_andy
Frequent Visitor

Security

Scenario: User has a desktop pro licence at Organisation A, as well as a personal O365 business subscription with Power BI.

Question: What security controls exist to stop that user publishing content from Organisation A into their own workspace on their own subscription?
6 REPLIES 6
v-joesh-msft
Solution Sage
Solution Sage

Hi @qp_andy ,

I'm a little confused by your description. Do you mean to restrict user A's permission to create reports in the workspace? If so, click Access in the workspace to set the user role to Viewer. Roles let you manage who can do what in a workspace, so teams can collaborate. New workspaces allow you to assign roles to individuals, and to user groups: security groups, Office 365 groups, and distribution lists. For more information, please refer to the documentation: 

Organize work in the new workspaces in Power BI

21.PNG22.PNG

Best Regards,

Community Support Team _ Joey
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

Let me try and make it clearer. There is one user (lets called him Dean) who has his own small IT company (Company A). Company A has an O365 Business subscription, and Dean is the admin and only user (Dean@CompanyA.com). He has a Power BI free user licence on this account so can create in Desktop and publish to his own workspace on PBI service.

 

Company B hires Dean to work on a Power BI project. Company B creates an AAD user account for Dean (Dean@companyB.com) so he can work on their network, and grants a PBI desktop pro licence with his Company B credentials. Dean creates and publishes content using his Dean@companyB.com credentials. All good.

 

BUT....

 

What is stopping Dean logging in to Company B's network (Dean@companyB.com), creating content in PBI Desktop using Company B's data, then logging into the PBI service using his Dean@CompanyA.com account and publishing that content to the Comany A workspace?

Hi @qp_andy ,

Power bi cannot limit which account the user uses to publish the report. If you want users to be unable to see content including data and reports on other networks, you can use DirectQuery or Live connection mode to connect to data or connect to a data source such as DataFlow.

Best Regards,

Community Support Team _ Joey
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Seems a major flaw that there is no way to limit the domains/accounts being published to in power bi service, based on the windows account the publisher is logged into? Yes it will all be logged retrospectively, but by then it’s too late....

But this flaw is not specific to Power BI, there is also nothing stopping "dean" from downloading company B's data to csv files and then copying them to a usb drive or uploading them to dropbox, google drive or any of the cloud base file services. 

Hi @d_gosbell 

 

Thanks but that's a subtly different point - there could be endpoint security on the device to lock down all of the ports for example.

 

My main point is there should be a control available to admins that they can set, that compares the domain someone is publishing from, to the domain they are publishing to, and allow/disallow publishing based on the rules set. Unless I'm missing something, this doesn't exist.

 

 

 

Helpful resources

Announcements
Carousel_PBI_Wave1

2023 Release Wave 1 Plans

Power BI release plans for 2023 release wave 1 describes all new features releasing from April 2023 through September 2023.

Power BI Summit Carousel 2

Global Power BI Training

Make sure you register today for the Power BI Summit 2023. Don't miss all of the great sessions and speakers!

Thank you 2022 Review

2022 Monthly Feature Releases

We had a great 2022 with a ton of feature releases to help you drive a data culture.