Blogs / Microsoft / Power BI / Inheritance of Security from SAP BW System to Power BI Part 1

Inheritance of Security from SAP BW System to Power BI Part 1

Jul 17, 2019

SHARE

Data security is the prime concern for any organization in today’s era of digitization. Organizational data can be categorized as who views the data and to what level of data can be viewed by them. Who – defines the users, who view the data and What defines the tool taking the data as its source for visualization.

It becomes important for users to visualize data with the right data constraints placed via security objects. SAP BW authorization objects provides this feature on restricting the data on the info-object level. Power BI has the capability to visualize and showcase the data that is needed. In this blog we will try to understand how to change the approach from traditional standard Power BI consumption to a more secured view on data. Power BI by default provides RLS (Row Level Security). When the security inheritance is from the SAP BW level the default option changes and will not be from the report level.

To demonstrate this we will guide you through a proof of concept which will furnish the restrictions on the data –Eg.: Region Specific for two users.

Let’s create two users with the authorization objects placed on them as shown below. We will consume Bex Queries from the BW HANA system.

PBIUSER1ZREGION_APAC – Asia Region
PBIUSER2ZREGION_OBJ1 – United States

The Traditional Approach for Viewing Reports

In the below diagram, initially, in Power BI we build the Data Source with the SAP BW Data Base credentials as PBIUSER1 who has the authorization object ZREGION_APAC which views only APAC Region data.

Inheritance of Security from SAP BW System to Power BI Part 1
Initial Approach on Retrieving Data via Gateway Instance

Inheritance of Security from SAP BW System to Power BI Part 1
Query View of Data from SAP System

After creating the report and publish it onto the Power BI Service. When we try to view this report again it needs to initially establish a connection with the Database. This connection establishment goes via an On-Premise Gateway installed. Since we are connecting to an SAP BW system, we will need to create an instance for the Gateway to connect with the SAP BW system.

Inheritance of Security from SAP BW System to Power BI Part 1
Data Source Gateway Connection Instance

Now let’s key in the credentials for the gateway instance as PBIUSER2. This will automatically make a change on the Database value that is being called with the necessary filter affecting PBIUSER2. Now the PBIUSER2 will only be able to see United States Data and not APAC.  An outside user who has access to the entire query from the BW system can only have a restricted data view placed by PBIUSER2. This does not fulfill the security constraints and is a failure. But we can overcome this issue with the use of Kerberos single sign-on which is supported by Power BI.

Inheritance of Security from SAP BW System to Power BI Part 1
Gateway Instance for SAP BW System

The Image above explains the authentication/respond process: When any user tries to open the report, Power BI will initially check for the user credentials and pass the same via the SSO to the DB credentials through Kerberos implementation. We will have  to sync Azure Active Directory with our Windows Local Active Directory instance. Once the entire setup is done following the link provided below, we can check on the SSO.

https://docs.microsoft.com/en-us/power-bi/service-gateway-sso-kerberos

For a user who has all view access, his credentials will be pushed in via the SSO-enabled gateway to get the entire set of data. We can enable the SSO via Kerberos in the advance settings found at the bottom of the gateway instance.

Inheritance of Security from SAP BW System to Power BI Part 1
Enabling SSO via Kerberos

Power BI has the necessary feature to help us enable the security and necessary filter to affect the database and bring the report as needed to the user by making use of the above method. For more details please go through the above link. Recommendation of use for Kerberos method can or cannot be possible depending on the architecture the organization follows. Organization Architecture needs to be first reviewed in order to determine the best way to enable SSO.

Source:

https://docs.microsoft.com/en-us/power-bi/service-gateway-sso-kerberos

https://docs.microsoft.com/en-us/power-bi/desktop-use-directquery

Know more about Microsoft Power BI services offerings from Visual BI solutions here.


Corporate HQ:
5920 Windhaven Pkwy, Plano, TX 75093

+1 888-227-2794

+1 972-232-2233

+1 888-227-7192

solutions@visualbi.com


Copyright © Visual BI Solutions Inc.

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Share This!

Share this with your friends and colleagues!