Security, RLS, CLS and downloading pbix

ells · September 16, 2021, 10:27am

I have tables called
Groups that has AD_Group, Login_ID,
Security that has AD_Group, Territory
Fact that has SalesValue, SalesCost, SalesProfit, Territory

Manage Roles - Anyone in the general access role we filter by Login_ID = USERPRINCIPALNAME()

So if you are in the group that can see data for UK this then only show you data for the uk.

So thats row level security done and works ok

Now we also have a gorup that cant see SalesCost and SalesProfit
if you are in that group there is a Measure [SensitiveData] that is 1 if you can see it or 0 if you cant.

I thought we were done ther but…
What happens if a user downloads the pbix for the data set - they will be able to see all of the inner workings
If a user does the same downloading the report linked to the data set they can publish a modified data set and repoint the report

Is this really a secure way of working?

Thanks
E

Anurag · September 16, 2021, 11:42am

Hi,

while sharing the report you can mention the right to the user as viewer so that user can not able to download the pbix and it will be secure.

Thanks,
Anurag

ells · September 16, 2021, 1:08pm

@Anurag
Thanks I had not noticed that. I think I need to read up on the permissions on the data set and report as a lot of people will be getting build permissions which may not be good.
Thanks
E

Anurag · September 16, 2021, 1:17pm

Hi,

If my response solve the issue then mark it as sol and close this thread.

Thanks,
Anurag