Solved: Re: Separate report filters per customer

rsrwebsupport · ‎09-21-2021

I want to make one "master" report in Power BI and then give each individual customer the ability the view the report but only with data from them. For example, the report might be sales by month, so the customer would be able to see their own sales by month, but not sales for all customers. Is this possible? I originally looked at providing a filter to only show the one customer, but it seems like there's no secure way to do this according to this post. They recommend RLS, but the application will be owning the data so every customer will essentially be sharing the same Power BI account. Are there any other alternatives? I know I could technically create a separate report for every customer, but that seems like overkill.

Thanks.

rsrwebsupport · ‎09-22-2021

I came up with a potential solution, but I'm wondering if there is a better approach or if there are any potential security concerns with this approach.

On the model, I added a unique token to each customer
I also added a custom "valid" measure to the model that returns a boolean - TRUE if HASONEFILTER is true on both the customer ID and the customer token
I added a measure on the sales model so that the sales values return the correct value if "valid" (i.e. both customer ID and customer token have a single filter) and return 0 otherwise
In the report, I added the sales measure rather than the "real" sales value
I made the report filters pane hidden
When the report gets embedded, I pass in the customer ID and token as filters on the embed URL, which results in a report that is filtered for that customer with no filters visible to the user

Can anyone poke any holes in this approach? A hacker would need to know both a customer's ID and token to view their reports, so I think that would be secure? Is there a better approach I could be using instead?

EDIT: I spoke with Microsoft support, and they said the preferred approach is RLS, but that would require every customer to have a Power BI account. This isn't feasable in this case, so he said this workaround is probably the best approach given our constraints. I'm still interested though if anyone can think of any potential security holes with this approach.

View solution in original post

rsrwebsupport · ‎09-22-2021

I came up with a potential solution, but I'm wondering if there is a better approach or if there are any potential security concerns with this approach.

On the model, I added a unique token to each customer
I also added a custom "valid" measure to the model that returns a boolean - TRUE if HASONEFILTER is true on both the customer ID and the customer token
I added a measure on the sales model so that the sales values return the correct value if "valid" (i.e. both customer ID and customer token have a single filter) and return 0 otherwise
In the report, I added the sales measure rather than the "real" sales value
I made the report filters pane hidden
When the report gets embedded, I pass in the customer ID and token as filters on the embed URL, which results in a report that is filtered for that customer with no filters visible to the user

Can anyone poke any holes in this approach? A hacker would need to know both a customer's ID and token to view their reports, so I think that would be secure? Is there a better approach I could be using instead?

EDIT: I spoke with Microsoft support, and they said the preferred approach is RLS, but that would require every customer to have a Power BI account. This isn't feasable in this case, so he said this workaround is probably the best approach given our constraints. I'm still interested though if anyone can think of any potential security holes with this approach.

Separate report filters per customer

Helpful resources

Microsoft Fabric Learn Together

Power BI Monthly Update - April 2024

Fabric Community Update - April 2024