Data security is the prime concern for any organization in today’s era of digitization. Organizational data can be categorized as who views the data and to what level of data can be viewed by them. Who – defines the users, who view the data and What defines the tool taking the data as its source for visualization.
It becomes important for users to visualize data with the right data constraints placed via security objects. SAP BW authorization objects provides this feature on restricting the data on the info-object level. Power BI has the capability to visualize and showcase the data that is needed. In this blog we will try to understand how to change the approach from traditional standard Power BI consumption to a more secured view on data. Power BI by default provides RLS (Row Level Security). When the security inheritance is from the SAP BW level the default option changes and will not be from the report level.
To demonstrate this we will guide you through a proof of concept which will furnish the restrictions on the data –Eg.: Region Specific for two users.
Let’s create two users with the authorization objects placed on them as shown below. We will consume Bex Queries from the BW HANA system.
|PBIUSER1||ZREGION_APAC – Asia Region|
|PBIUSER2||ZREGION_OBJ1 – United States|
The Traditional Approach for Viewing Reports
In the below diagram, initially, in Power BI we build the Data Source with the SAP BW Data Base credentials as PBIUSER1 who has the authorization object ZREGION_APAC which views only APAC Region data.
After creating the report and publish it onto the Power BI Service. When we try to view this report again it needs to initially establish a connection with the Database. This connection establishment goes via an On-Premise Gateway installed. Since we are connecting to an SAP BW system, we will need to create an instance for the Gateway to connect with the SAP BW system.
Now let’s key in the credentials for the gateway instance as PBIUSER2. This will automatically make a change on the Database value that is being called with the necessary filter affecting PBIUSER2. Now the PBIUSER2 will only be able to see United States Data and not APAC. An outside user who has access to the entire query from the BW system can only have a restricted data view placed by PBIUSER2. This does not fulfill the security constraints and is a failure. But we can overcome this issue with the use of Kerberos single sign-on which is supported by Power BI.
The Image above explains the authentication/respond process: When any user tries to open the report, Power BI will initially check for the user credentials and pass the same via the SSO to the DB credentials through Kerberos implementation. We will have to sync Azure Active Directory with our Windows Local Active Directory instance. Once the entire setup is done following the link provided below, we can check on the SSO.
For a user who has all view access, his credentials will be pushed in via the SSO-enabled gateway to get the entire set of data. We can enable the SSO via Kerberos in the advance settings found at the bottom of the gateway instance.
Power BI has the necessary feature to help us enable the security and necessary filter to affect the database and bring the report as needed to the user by making use of the above method. For more details please go through the above link. Recommendation of use for Kerberos method can or cannot be possible depending on the architecture the organization follows. Organization Architecture needs to be first reviewed in order to determine the best way to enable SSO.
Know more about Microsoft Power BI services offerings from Visual BI solutions here.