The rapid rise of AI, and in particular AI analytics platforms such as Microsoft Fabric, has increasingly led to the use of business analytics tools such as Power BI.
The development of AI analytics necessitates that organizations collect large amounts of data to train models and conduct robust analyses. Different departments require access to this data to make the most of their AI analytics. Organizations and data teams require a way to make data available for different departments while still ensuring that access is limited and only granted to those who require this information.
In response, Microsoft provided the ability to create row-level security policies within Power BI. A successful implementation of Power BI with RLS has enormous security potential; however, it is very difficult to implement and scale. It is time and resource intensive for data teams to implement RLS at scale on Power BI so that organizations can remain AI ready.
In this blog post we explore how to implement and scale RLS for Power BI with Satori.
Row-Level Security on Power BI
Row-level security (RLS) with Power BI restricts data access for given users so that data access and sensitive information remain secure. This is critical given the large amounts of data that organizations collect and use within their AI analytics platforms.
However, part of the reason that the implementation of RLS on Power BI has stalled is the need to learn a new format called DAX, or Data Analysis Expressions. Data Analysis Expressions (DAX) is a library of functions and operations that can be combined to build formulas and expressions in Power BI, analysis services, and Power Pivot in Excel data models.
Using DAX data teams can implement RLS based on roles, this capability is not available in Power Pivot in Excel. The RLS applies to both specific and related rows, DAX limits access by simply not returning results on the allowed row set.
While DAX language is not a complex language, it is another language that BI analysts and report builders need to learn. DAX models are also tightly coupled to the data model as well as the visual widgets invoking the DAX, leading to multiple points of potential failure. The industry consensus is that DAX is simple, but not easy to use.
DAX is also very difficult to scale. Managing translations to the DAX, including the need to add or modify permissions, is a lengthy and involved process.
Using DAX to implement and modify RLS on Power BI consumes a significant amount of data teams efforts. Pushing the management of RLS in DAX to a platform like Satori speeds up time to implementation.
RLS on Power BI with Satori
In response, Satori simplifies Power BI enforcements by leveraging attribute-based access controls (ABAC) to dynamically design, deploy, and manage the DAX expressions and lookup tables that power the filtering capabilities.
Satori allows for dynamically designing and deploying DAX expressions and lookup tables. This means you can set up rules and conditions based on attributes such as user roles, departments, locations, etc. These attributes can dynamically filter data based on who is accessing the Power BI reports or dashboards. ABAC using Satori provides greater flexibility and scalability compared to traditional static access controls. As organizational needs evolve or as new attributes become relevant (such as new user roles or projects), these can be easily incorporated into the access control rules without significant overhead.
Satori assigns attributes for ABAC in many ways that reduce the friction associated with implementing RLS for Power BI. This reduces the time that data teams need to spend ensuring that data access is secured while maintaining AI readiness.
Satori enables data teams to implement RLS through the use of specific attributes. This extends to RLS on Power BI.
Read about Satori’s ABAC access controls here.
An Example
This organization wants to filter data and access based on user locations.
Without DAX implementation in reports, accessing control to specific data fields requires editing the query directly. These filters can be based on specific criteria or conditions, such as excluding certain rows or columns based on user attributes. BUT…and this is a big but…this means the data loaded into the report is pre-filtered, and thus if different users need access to different data, multiple reports would need to be built. This can grow exponentially and is exactly why Power BI has implemented DAX modeling for RLS.
In this example, Satori reduces the time and simplifies the implementation of ABAC using a Geographic RLS filter.
Satori looks at the Identity Provider to determine if the user has permissions for specific states.
Satori checks if the User has the “state” attribute configured in the IdP. If they do, they get a “State” filter. If they don’t, no rows are returned on this protected Power BI report.
This creates a security approach that prevents accidental data leakage, including from internal sharing of reports.
Satori imports this variable and records that the user has a “WA” state attribute configured in the IdP.
Satori added RLS to the report, producing the following Power BI view for the current user.
A different user with different permissions, in this case, authorization to a wide range of states gains access to all data. This shows the dynamic ability of using Satori with Power BI where different users privileged with different access, are automatically granted access to that data, quickly and easily.
Conclusion
Power BI is an important tool for organizations that use large amounts of data for AI analytics. However, ensuring that this data is secured so that it can quickly and easily be shared, using native capabilities in Power BI, is time consuming and resource intensive for data teams. Satori provides dynamic RLS on Power BI and just-in-time access to data to enable faster data sharing across organizations with users who have different security permissions; without draining data teams resources.
To learn more about how Satori can help your organization become AI-ready through RLS on Power BI book a demo with one of our experts.