Privacera Platform master publication

Power BI
:

This section covers how to enable configure Privacera Power BI connector for workspace fine-grained access-control on Power BI running in Azure. You can set permissions in a Privacera policy depending on the workspace roles: Admin, Member, Contributor, Viewer. Only users and groups from the Azure Active Directory are allowed in Azure Power BI.

Prerequisites

Ensure that the following prerequisites are met:

  1. Create a service principal and application secret for the Power BI, and get the following information from Azure Portal. For more information, refer the Microsoft Azure documentation - click here.

    • Application (client) ID

    • Directory (tenant) ID

    • Client Secret

  2. Create a group to assign your created Power BI application to it. This is required because the Power BI Admin API allows only the service principal to be an Azure AD Group. For more information, refer the Microsoft Azure documentation - click here.

    Follow the steps in the link given above, and configure the following to create a group and add Power BI as a member:

    1. On the New Group dialog, select security in the Group type, and then add the required group details.

    2. Click Create.

    3. On the +Add members dialog, select your Power BI application.

  3. Configure Power BI Tenant to allow Power BI service principals to read the REST API. For more information, refer the Microsoft Azure documentation - click here.

    Follow the steps in the link given above and configure the following:

    1. In the Developer settings, enable Allow service principals to use Power BI APIs.

    2. Select Specific security groups (Recommended), and then add the Power BI group you created above.

    3. In the Admin API Settings, enable Allow service principals to use read-only Power BI admin APIs (Preview). For more information, refer the Microsoft Azure documentation - click here.

    4. Select Specific security groups, and then add the Power BI group you created above.

  4. Enable Privacera UserSync for AAD to pull groups attribute ID. For more details, refer to the topic Azure Active Directory - Data Access User Synchronization.

CLI Configuration
  1. SSH to the instance where Privacera is installed.

  2. Run the following command.

    cd ~/privacera/privacera-manager/config
    cp sample-vars/vars.policysync.powerbi.yml custom-vars/
    vi custom-vars/vars.policysync.powerbi.yml
  3. Set the properties for your specific installation. For property details and description, see the Configuration Properties section that follows.

    Note

    Along with the above properties, you can add custom properties that are not included by default. For more information about these properties, see Power BI Connector.

  4. Run the following command:

    cd ~/privacera/privacera-manager/
    ./privacera-manager.sh update
Configuration Properties

Connection configuration related properties

Table 49. Connection configuration related properties

Name

Type

Default

Required

Description

POWER_BI_USERNAME

string

Yes

Specifies the authentication username. If you do not specify this value, you must specify a secret for POWER_BI_CLIENT_SECRET.

POWER_BI_PASSWORD

string

Yes

Specifies the authentication password. If you do not specify this value, you must specify a secret for POWER_BI_CLIENT_SECRET.

POWER_BI_TENANT_ID

string

Yes

Specifies the tenant ID associated with your Microsoft Azure account.

POWER_BI_CLIENT_ID

string

Yes

Specifies the principal ID for authentication.

POWER_BI_CLIENT_SECRET

string

Yes

Specifies a client secret for authentication.

If you do not specify this value, you must specify both POWER_BI_USERNAME and POWER_BI_PASSWORD.



Load keys and intervals

Table 50. Load keys and intervals

Name

Type

Default

Required

Description

POWER_BI_RESOURCE_SYNC_INTERVAL

integer

60

No

Specifies the interval in seconds for PolicySync to wait before checking for new resources or changes to existing resources.

POWER_BI_PRINCIPAL_SYNC_INTERVAL

integer

420

No

Specifies the interval in seconds for PolicySync to wait before reconciling principals with those in the data source, such as users, groups, and roles. When differences are detected, PolicySync updates the principals in the data source accordingly.

POWER_BI_PERMISSION_SYNC_INTERVAL

integer

540

No

Specifies the interval in seconds for PolicySync to wait before reconciling Apache Ranger access control policies with those in the data source. When differences are detected, PolicySync updates the access control permissions on data source accordingly.

POWER_BI_AUDIT_SYNC_INTERVAL

integer

30

No

Specifies the interval in seconds to elapse before PolicySync retrieves access audits and saves the data in Privacera.



Resources management

Table 51. Resources management

Name

Type

Default

Required

Description

POWER_BI_MANAGE_WORKSPACE_LIST

string

No

Specifies a comma-separated list of workspace names for which PolicySync manages access control. If unset, access control is managed for all workspaces. If specified, use the following format. You can use wildcards. Names are case-sensitive.

An example list of workspaces might resemble the following: demo1,demo2,sales*.

If specified, POWER_BI_IGNORE_WORKSPACE_LIST takes precedence over this setting.

POWER_BI_IGNORE_WORKSPACE_LIST

string

No

Specifies a comma-separated list of workspace names that PolicySync does not provide access control for. You can specify wildcards. Names are case-sensitive. If not specified, all workspaces are subject to access control.

This setting supersedes any values specified by POWER_BI_MANAGE_WORKSPACE_LIST.



Users/Groups/Roles management

Table 52. Users/Groups/Roles management

Name

Type

Default

Required

Description

POWER_BI_USER_NAME_REPLACE_FROM_REGEX

string

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

No

Specifies a regular expression to apply to a username and replaces each matching character with the value specified by the POWER_BI_USER_NAME_REPLACE_TO_STRING setting.

If not specified, no find and replace operation is performed.

POWER_BI_USER_NAME_REPLACE_TO_STRING

string

_

No

Specifies a string to replace the characters matched by the regex specified by the POWER_BI_USER_NAME_REPLACE_FROM_REGEX setting.

If not specified, no find and replace operation is performed.

POWER_BI_GROUP_NAME_REPLACE_FROM_REGEX

string

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

No

Specifies a regular expression to apply to a group and replaces each matching character with the value specified by the POWER_BI_GROUP_NAME_REPLACE_TO_STRING setting.

If not specified, no find and replace operation is performed.

POWER_BI_GROUP_NAME_REPLACE_TO_STRING

string

_

No

Specifies a string to replace the characters matched by the regex specified by the POWER_BI_GROUP_NAME_REPLACE_FROM_REGEX setting.

If not specified, no find and replace operation is performed.

POWER_BI_USER_NAME_PERSIST_CASE_SENSITIVITY

boolean

false

No

Specifies whether PolicySync converts user names to lowercase when creating local users. If set to true, case sensitivity is preserved.

POWER_BI_GROUP_NAME_PERSIST_CASE_SENSITIVITY

boolean

false

No

Specifies whether PolicySync converts group names to lowercase when creating local groups. If set to true, case sensitivity is preserved.

POWER_BI_MANAGE_USER_LIST

string

No

Specifies a comma-separated list of user names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive.

If not specified, PolicySync manages access control for all users.

If specified, POWER_BI_IGNORE_USER_LIST takes precedence over this setting.

An example user list might resemble the following: user1,user2,dev_user*.

POWER_BI_MANAGE_GROUP_LIST

string

No

Specifies a comma-separated list of group names for which PolicySync manages access control. If unset, access control is managed for all groups. If specified, use the following format. You can use wildcards. Names are case-sensitive.

An example list of projects might resemble the following: group1,group2,dev_group*.

If specified, POWER_BI_IGNORE_GROUP_LIST takes precedence over this setting.

POWER_BI_IGNORE_USER_LIST

string

No

Specifies a comma-separated list of user names that PolicySync does not provide access control for. You can specify wildcards. Names are case-sensitive. If not specified, all users are subject to access control.

This setting supersedes any values specified by POWER_BI_MANAGE_USER_LIST.

POWER_BI_IGNORE_GROUP_LIST

string

No

Specifies a comma-separated list of group names that PolicySync does not provide access control for. You can specify wildcards. Names are case-sensitive. If not specified, all groups are subject to access control.

This setting supersedes any values specified by POWER_BI_MANAGE_GROUP_LIST.

POWER_BI_USER_FILTER_WITH_EMAIL

boolean

false

No

Set this property to true if you only want to manage users who have an email address associated with them in the portal.

POWER_BI_MANAGE_USER_FILTERBY_GROUP

boolean

false

No

Specifies whether to manage only the users that are members of groups specified by POWER_BI_MANAGE_GROUP_LIST. The default value is false.



Access control management

Table 53. Access control management

Name

Type

Default

Required

Description

POWER_BI_GRANT_UPDATES

boolean

true

No

Specifies whether PolicySync performs grants and revokes for access control and creates, updates, and deletes queries for users, groups, and roles. The default value is true.



Access audits management

Table 54. Access audits management

Name

Type

Default

Required

Description

POWER_BI_AUDIT_ENABLE

boolean

false

Yes

Specifies whether Privacera fetches access audit data from the data source.

POWER_BI_AUDIT_INITIAL_PULL_MINUTES

integer

30

No

Specifies the initial delay, in minutes, before PolicySync retrieves access audits from Microsoft Power BI.



Limitations
  • The role in a resource policy of Access Management is not supported.

  • Only AAD users/groups are supported in a resource policy of Access Management. The Local users/groups (created manually in Access Management) is not supported.