Microsoft Power BI

Power BI enables enterprises to create, share and consume business information (BI), providing visual representations of that data. Power BI can create, share and manage cloud-based data sources, granting or denying access permissions based on roles.

The SaaS Authorization Management feature enables Power BI users to simplify and centralize authorization policies to deliver fine-grained authorization. It provides Policy Mangement for the Role Level Security (RLS) by filtering tables to determine what each user can access. Also translated are DAX, tables, groups and users. The Policy ID is automatically generated, as is the Policy Name. By default, the Policy access type is Allow.

The goal of the SaaS Authorization Management flow is to ensure that different authorization and access policies are implemented, enforced and coordinated effectively to achieve the desired security controls while maintaining consistency and avoiding conflicts.

Power BI Authorizer Workflow

Steps in the Workflow

Learn Mode

The Learn Mode begins the process of working with the Power BI Authorizer. The Learn Mode includes defining the integration parameters between the SaaS Authorization Management and Power BI, the Discover process, and the mapping and display the results within the Platform
.

1. CONNECT: The first step in integrating the SaaS Authorization Management with Power BI is to define the connection parameters. This is done by creating a Policy Orchestration Point to work with Power BI (see Managing a Power BI Policy Orchestration Point and simply adding the relevant credentials.
2. DISCOVER and MAP: Once the POP has been created, the Platform will automatically initiate a discovery process. During this process, the Platform identifies the datasets, databases, Roles, RLS, etc. and maps the discovered objects to Policy elements and Building Blocks. For example, included in the discovery and mapping stages is the creation of Asset Templates, Identity Templates, Attributes and more.
3. DISPLAY: All of the discovered objects are displayed in the Orchestration Workspace (as well as the Identity and Authorization Workspaces) to provide visibility in the Platform for what is being managed by the Power BI Authorizer.

Manage Mode

Once the Learn Mode is complete, it is possible to begin using the Power BI Authorizer in Manage Mode. The Manage Mode allows you to begin updating existing Policies, creating new Policies which can then be deployed back to Power BI for enforcement, deleting Policies etc.

The Manage Mode includes:

Manage: Creating, update, and delete Policies for Power BI.
Enforce: Enforce access in Power BI based on managed Polices in the Platform.
Monitor: Continue ongoing monitoring to identify any changes in the Power BI environment and alert any changes made in the Platform by showing a discrepancy between the Suggested Policy (in the Platform) and the Deployed Policy (in Power BI).

Mapping Power BI Objects

During the Discovery Process, the following Power BI objects are mapped to {{variable.PlatformName} objects:

Power BI Objects	Mapped Platform Object
Role	During the discovery, Roles become Policies, connecting Identities to Assets.
Table	During the discovery, tables are translated into Assets.
DAX*	During the discovery, DAX expressions are translated into Rulesets.
Group	During the discovery, groups are transated into Identity Attributes.

* DAX is the language used to define access filters on the datasets in Power BI.

For more information, see Power BI Policies and Objects