Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
dapster105
Advocate III
Advocate III

Prevent users switching to Edit mode in embedded report

‎01-28-2018 07:05 AM

Hi,

 

I'm trying to get my head around security issues when embedding reports.

 

I have sucessfully registered a native app in Azure AD and restricted Power BI permissions to View ones only. So I am confident that my application cannot accidentally or maliciously make edits to reports.

 

I have the embedding of the report working well.

 

However, it seems with only basic knowledge any user viewing the report through my app can alter the embedded report.configuration.permissions to All and then call report.switchMode('edit') to switch to the editing view of the report.

 

Changes cannot be saved so there is no potential damage to the report, however further detail about the report is exposed in Edit view which I don't want to be, e.g. fieldnames.

 

So my questions are:

 

1. Why does the API allow the switchMode when App permissions are off?

 

2. Is there any way to prevent this being done via console? (I'm assuming not)

 

3. What is the worst a malicious user could do / discover just by stealing the embed token plainly visible in the javascript?

 

4. Is there a better way of conrolling whether my app users are allowed to change filters, switch to edit mode etc. etc if I don't want them to?

 

Thanks!

Tim

Labels:
Message 1 of 2
1,292 Views
1 ACCEPTED SOLUTION
v-ljerr-msft
Employee
Employee

‎01-29-2018 07:16 PM

Hi @dapster105,

However, it seems with only basic knowledge any user viewing the report through my app can alter the embedded report.configuration.permissions to All and then call report.switchMode('edit') to switch to the editing view of the report.

I agree that there'll be some potential risks in this scenario. I would suggest you create a new issue here to see if the professional engineers have an alternative solution, and make a plan to enhance the sdk on this feature. Smiley Happy

 

Regards

View solution in original post

Message 2 of 2
1,367 Views
1 REPLY 1
v-ljerr-msft
Employee
Employee

‎01-29-2018 07:16 PM

Hi @dapster105,

However, it seems with only basic knowledge any user viewing the report through my app can alter the embedded report.configuration.permissions to All and then call report.switchMode('edit') to switch to the editing view of the report.

I agree that there'll be some potential risks in this scenario. I would suggest you create a new issue here to see if the professional engineers have an alternative solution, and make a plan to enhance the sdk on this feature. Smiley Happy

 

Regards

Message 2 of 2
1,368 Views

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All