Skip to content

Power BI#

This section covers how to enable configure Privacera Power BI connector for workspace fine-grained access-control on Power BI running in Azure. You can set permissions in a Privacera policy depending on the workspace roles: Admin, Member, Contributor, Viewer. Only users and groups from the Azure Active Directory are allowed in Azure Power BI.

Prerequisites#

Ensure that the following prerequisites are met:

  1. Create a service principal and application secret for the Power BI, and get the following information from Azure Portal. For more information, refer the Microsoft Azure documentation - click here.

    • Application (client) ID
    • Directory (tenant) ID
    • Client Secret
  2. Create a group to assign your created Power BI application to it. This is required because the Power BI Admin API allows only the service principal to be an Azure AD Group. For more information, refer the Microsoft Azure documentation - click here.

    Follow the steps in the link given above, and configure the following to create a group and add Power BI as a member:

    1. On the New Group dialog, select security in the Group type, and then add the required group details.

    2. Click Create.

    3. On the +Add members dialog, select your Power BI application.

  3. Configure Power BI Tenant to allow Power BI service principals to read the REST API. For more information, refer the Microsoft Azure documentation - click here.

    Follow the steps in the link given above and configure the following:

    1. In the Developer settings, enable Allow service principals to use Power BI APIs.

    2. Select Specific security groups (Recommended), and then add the Power BI group you created above.

    3. In the Admin API Settings, enable Allow service principals to use read-only Power BI admin APIs (Preview). For more information, refer the Microsoft Azure documentation - click here.

    4. Select Specific security groups, and then add the Power BI group you created above.

  4. Enable Privacera UserSync for AAD to pull groups attribute ID. For more details, refer to the topic Azure Active Directory - Data Access User Synchronization.

CLI Configuration#

  1. SSH to the instance where Privacera is installed.

  2. Run the following command.

    cd ~/privacera/privacera-manager/config
    cp sample-vars/vars.policysync.powerbi.yml custom-vars/
    vi custom-vars/vars.policysync.powerbi.yml
    
  3. Set the properties for your specific installation. For property details and description, see the Configuration Properties section that follows.

    Note

    Along with the above properties, you can add custom properties that are not included by default. For more information about these properties, see Power BI Connector.

  4. Run the following command:

    cd ~/privacera/privacera-manager/
    ./privacera-manager.sh update
    

Configuration Properties#

Property Mandatory Description Default Value Example
POWER_BI_USERNAME Yes Username for authentication with Power BI.
For authentication either username/password or client secret is needed.
user1
POWER_BI_PASSWORD Yes Password for authentication with Power BI.
POWER_BI_TENANT_ID Yes Tenant ID associated to Azure subscription.
To get the value for this property, go to Azure portal > Azure Active Directory > Properties > Tenant ID .
5aXcXa2b-fdXX-XXXX-XXXX-c3172bXXaXXe
POWER_BI_CLIENT_ID Yes Service principal ID for authentication with Power BI.
To get the value for this property, go to Azure portal > Azure Active Directory > Properties > Client (Application) ID
3eeXXXXX-XXXe-XXcf-aXXX-fXad7dXXXXXe
POWER_BI_CLIENT_SECRET Yes Application's client secret for authentication with Power BI.
For authentication either username/password or client secret is needed.
String
POWER_BI_V2_ENABLE Yes Property to enable/disable the PolicySync Power BI connector. true
POWER_BI_MANAGE_WORKSPACE_LIST Yes Add the names of the workspaces to be managed. Only these workspaces will be provided with access control in a Power BI policy.
Regular expression can be used for example, demo\* (This will manage all the workspaces named as demo1,demo2 etc).
demo1,demo2,demo3
POWER_BI_MANAGE_USER_LIST Yes This property is used to specify comma-separated user names for whom access control should be managed by PolicySync.
If you want to manage all users, you can skip this property.
This also works with wildcards.
The ignore users list takes precedence over the manage users list.
For example, user1,user2,dev_user*

user1,user2,dev_user*
POWER_BI_MANAGE_GROUP_LIST Yes This property is used to specify comma-separated group names for whom access control should be managed by PolicySync.
If you want to manage all groups, you can skip this property.
This also works with wildcards.
The ignore group list takes precedence over the manage groups list.
For example, group1,group2,dev_group*

group1,group2,dev_group*
POWER_BI_IGNORE_WORKSPACE_LIST Yes Add the names of the workspaces to be ignored. These workspaces will not provided with access control in a Power BI policy. demo1,demo2,demo3
POWER_BI_IGNORE_USER_LIST Yes This property is used to specify comma-separated user names for access controls that should not be managed by PolicySync.
If you do not want to ignore any users, you can leave this property blank.
This also accepts wildcards.
This takes precedence over the list of users to manage.
For example, user1,user2,dev_user*
user1,user2,dev_user*
POWER_BI_MANAGE_USER_FILTERBY_GROUP Yes Set this property to true if you only want to manage users who belong to the groups specified in the MSSQL_MANAGE_GROUP_LIST property. false
POWER_BI_ENABLE_AUDIT Yes This property enables access audit retrieval from Power BI. false false
POWER_BI_AUDIT_LOAD_KEY Yes load
POWER_BI_GRANT_UPDATES Yes This property determines whether actual grant/revoke and create/update/delete queries for user/group/role should be run on Power BI. true

Limitations#

  • The role in a resource policy of Access Management is not supported.

  • Only AAD users/groups are supported in a resource policy of Access Management. The Local users/groups (created manually in Access Management) is not supported.