Power BI Embedded security for multi-tenant data stores – Role Level Security

  • Article

I often preface customer conversations by going into my past experiences of using data "behind the scenes" or in the "back-end" context. This basically means that I'm not normally one to get excited about new data visualizations or tools that allow data consumers to slice & dice data or pivot data to the n-th degree of complexity. While I recognize this is often a challenge and that real business value can be realized using tools like this – when I have my way I often try to find a way to get my data into a desired end result using a set of scripts utilizing a myriad of tools often associated with data developers, wranglers or curators (R, bash commands, SQL & PowerShell are usually my go-to tools).

That being said every once in a while, something on the "visual layer" toolbox gets my attention and recently this has been Power BI Embedded (https://azure.microsoft.com/en-us/services/power-bi-embedded/). Simply put Power BI Embedded is a service that allows users to embedded a Power BI (https://powerbi.microsoft.com/) visual report directly into a web application. This is useful due to these challenges:

  1. Application developers often want/need to be focused on the core functionality of the application – not visualizing data that is often a by-product of the application or line of business process.
  2. Making engaging and attractive data visuals is a daunting task for many organizations.
  3. Monetizing data often brings challenges around proper costing to users – especially in a multi-tenant environment.

It's one thing to provide a service like Power BI Embedded for internal-facing end users where many times data are protected by database or data store level security via role-based authorization (RBAC) and user accounts authenticated through a central identity management system like Active Directory, LDAP or a Kerberos KDC. It is another challenge if there are applications that bake in their own authentication and authorization mechanisms while accessing the data store via a central per-application service-user account, and those end users might even be outside your organization and too numerous to make purchasing a reporting-user license cost effective. I've worked closely with a number of applications like there and there are reasons for architecting an application like this as well as reasons for not – I won't go into these here.

Role Level Security

The good news is that Power BI Embedded can make use of a feature called Role Level Security that allows you to customize the data request with predicate values and security provide each user their own returned set of data (based on existing authorization that is built into a custom multi-tenant web application). More details of Role Level Security can be found here. This is how Power BI Embedded with Role Level Security helps solve the 3 challenges above.

Allowing application developers to focus on core application functionality

Power BI Embedded allows the insertion of a Power BI report (PBIX file) via an IFRAME. This allows for easy integration with existing web applications. REST & .NET APIs are available as well as SDKs for .NET and JavaScript.

Easily Creating Engaging & Powerful Visuals

Power BI is widely known for making it easy to create powerful & dynamic data visualizations. It provides the capability to build custom visualizations, publish to internal organization users and connect to a wide variety of static and real-time data sources ranging from files, databases, NoSQL stores, and streaming data tools.

Enabling Monetization of Data

Power BI Embedded is an Azure service and as such you can easily create multiple Power BI Embedded Workspace Collections within an Azure subscription. Within a Power BI Embedded Workspace Collections there are Workspaces and within Workspaces there are published reports. Many reports can be published to a Workspace and many Workspaces can be contained in a Collection. This hierarchy allows an organization to know which Collections, Workspaces and Reports are being used. Power BI Embedded billing does not depend on a user or application count but instead is per session, more details on per session billing can be found here (as well as the latest prices).

 

Additional resources for Power BI Embedded & Role Level Security to get started: