Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.
Hi,
I'm trying to get my head around security issues when embedding reports.
I have sucessfully registered a native app in Azure AD and restricted Power BI permissions to View ones only. So I am confident that my application cannot accidentally or maliciously make edits to reports.
I have the embedding of the report working well.
However, it seems with only basic knowledge any user viewing the report through my app can alter the embedded report.configuration.permissions to All and then call report.switchMode('edit') to switch to the editing view of the report.
Changes cannot be saved so there is no potential damage to the report, however further detail about the report is exposed in Edit view which I don't want to be, e.g. fieldnames.
So my questions are:
1. Why does the API allow the switchMode when App permissions are off?
2. Is there any way to prevent this being done via console? (I'm assuming not)
3. What is the worst a malicious user could do / discover just by stealing the embed token plainly visible in the javascript?
4. Is there a better way of conrolling whether my app users are allowed to change filters, switch to edit mode etc. etc if I don't want them to?
Thanks!
Tim
Solved! Go to Solution.
Hi @dapster105,
However, it seems with only basic knowledge any user viewing the report through my app can alter the embedded report.configuration.permissions to All and then call report.switchMode('edit') to switch to the editing view of the report.
I agree that there'll be some potential risks in this scenario. I would suggest you create a new issue here to see if the professional engineers have an alternative solution, and make a plan to enhance the sdk on this feature.
Regards
Hi @dapster105,
However, it seems with only basic knowledge any user viewing the report through my app can alter the embedded report.configuration.permissions to All and then call report.switchMode('edit') to switch to the editing view of the report.
I agree that there'll be some potential risks in this scenario. I would suggest you create a new issue here to see if the professional engineers have an alternative solution, and make a plan to enhance the sdk on this feature.
Regards
Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City
Check out the April 2024 Power BI update to learn about new features.