Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
Anonymous
Not applicable

Enterprise Gateway - Duplicating Data Sources or Gateways to segregate security access?

‎06-22-2017 01:35 PM

Here's the scenario...

 

       I have an oracle based Enterprise Data Warehouse (EDW) where enterprise data is consolidated for reporting.   Much of the data in the EDW is open to all employees.  However many areas of data are restricted to only certain users, such as production forecasts, and HR.  This database does not support SSO, so security access today is based on an Oracle userid and password for adhoc users, with application specific service accounts that grant access only to the appropriate data for applications and SSRS reports that display data from the EDW.

 

    This means that within the same Oracle database I have about 8 major groups of data that are secured to specific sets of users and application service accounts.

  • Group One - Visible to everyone
  • Group Two - Only visible to HR
  • Group Three - Only visible to production planners
  • etc... .

 

    To enforce this same level of security in Power BI, I need at least 8 differenct service accounts with rhe appropriate security to the underlying data.  No problem, we do this today with application and SSRS data source connections.

 

    However, when I setup a Power BI Enterprise Gateway to the EDW,  it only allows one gateway to be created for the production Oracle server, with a single service account.   This prevents me from entering a service account and password that is limited in scope based on the intended audience and the security profile of the underlying data.  I was hoping that it would use the full connection string, inluding the  userid (i.e. service account) as part of the comparison for duplicates, but apparently it only uses the database server.

 

   The only way that I can see to get around this is to create a separate Enterprise Data Gateway for each major security group in the EDW.

 

   Am I missing something.

 

Thx, Mike

 

 

Labels:
Message 1 of 4
1,289 Views
3 REPLIES 3
v-sihou-msft
Employee
Employee

‎06-23-2017 08:25 AM

@Anonymous

 

In this scenario, since you just want to limit the data access for different group of users, you only need to configure Row Level Security and create one role for each group, instead of duplicating multiple data source or gateway.

 

Regards,

Message 2 of 4
1,277 Views
0
Anonymous
Not applicable
In response to v-sihou-msft

‎06-28-2017 07:36 AM

    I agree that this would probably work if a central group such as IT were doing all of the development.  However, we expect that we may have a number of business data stewards / power users who will be building data models for their team workspaces. 

 

     For databases like Oracle, there is only one database connection allowed per database server.  This means that the service account for this one connection must have read access to all tables that might be used in any Power BI workspace that needs to pull data from that server.

 

    Let me expand on the scenario a bit....

 

        Assume Jill is a data steward in our production reporting group developing reports and data models around daily gas and oil production.  This data is not particually secure since it becomes public at the end of each month anyway.  These reports and data models are published into a Production reporting sandbox workspace that has wide visibility since this information is used by almost everyone.   Jill is an admin on this workspace.  

 

       Jill is also a member of a team that compares actual production to projected production based on estimated reserves and field development plans. This comparison is used to refine our reserves calculations and tune field production plans to maximize total recovery.   As part of this team Jill has security access to the reserves and production plan information. This information is restricted since is has a high competive value.   Reports and data models including the reserves information and production estimates are published into a reserves workspace with limited access.  Jill is not an admin on this workspace.

 

      Since both the reserves data and the daily production data reside in the same Oracle database, the service account entered into the enterprise data gateway must have access to both.

 

       Jill inadvertantly creates a data model that includes both production and reserves data and publishes it to the production reporting workspace.   Since there is only one enterprise gateway connection, and that connection has access to all data in the database, it happily refreshes both the "public" production data and the restricted data every month.

 

       Ideally, the gateway connection used by the production reporting workspace would have a service account that only gave it access to the public production data, so that even if a data model were inadvertantly published into that workspace, it would not refresh.   Jill would have be a member of the User group allowed to publish to the gateway connection, but could not publish to the connection that included restricted data.

 

      I would be nice if the uniqueness check for a data source connection in the gateway included the userid of the service account so that you could have multiple connections to the same database with different sets of data behind each account.     Currently the only way I can see to do this would be to have a multiple enterprise gateways.

 

Thx, Mike

     

Message 3 of 4
1,261 Views
Anonymous
Not applicable
In response to Anonymous

‎04-18-2018 10:54 AM

UPDATE:

 

We ended up creating Aliases to our Oracle Based EDW depending on the security classification of the data:

 

EDW_Internal.ourserver.net

EDW_Sensitive_Reserves.ourserver.net

EDW_Sensitive_Forecasts.ourserver.net

etc... .

 

This allows us to create a unique data connection in the gateway.  Each connection has a service account with appropriate permissions.  Everyone can publish reports to the internal connection in the gateway.  Only certain individuals can publish to the "sensitive" datasets.

 

We did this using additional TNS entries with different service names pointed at the same backend server.  This required deploying the extended TNS file to the gateway servers and also making it available to any report developers needing to publish sensitive data (so they could select the appropriate dataset name during development).

 

 

Message 4 of 4
942 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All