Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Restricting "Export Data" to security group does not work: everybody can export!

Hi,

 

As an admin, I enabled the "Export Data" feature but only for a subset of my users via a security group.

In this security group, there is only one user: mine.

 

In practice, all the reports that are published as embedded reports now have an "export data" option next to each visual. It gives the possibility to anybody that have access to the applications where the reports are embedded to export data (although only as a "Sumarized Export").

 

Furthermore, even after disabling again the "Export Data" feature completely for my organisation and waiting for 15mn, the visuals in the reports are still exportable when they are viewed as embedded reports.

 

Inside PowerBI service they are disabled as expected.

 

I would expect that the reports being accessed via a service principal (via embedding) would follow the rules applied to this service principal, i.e., if its security group is not allowed to export, users that access the report via embedding can't.

 

I would like also for my organisation to be fixed because I can't find any way to disable the export on all those reports, this is a strong security risk for us.

Status: New
Comments
v-qiuyu-msft
Community Support

Hi @victornoel

 

Please create a support ticket to let engineers look into the issue on your side. 

 

Support Ticket.gif

 

Best Regards,
Qiuyun Yu 

victornoel
Regular Visitor

Thank you, it is done, I didn't know this existed 🙂

victornoel
Regular Visitor

For the record:

- export data policies are applied equaly to normal users and service principals used for embedding reports

- when export data is disabled completely or for a security group of the service principals, even though the "export data" button is present in the embedded reports, clicking on it will show an error (so it means there is no security risks)