Processing math: 100%
Skip to main content

Power BI connector for PolicySync

This section covers how to enable configure Privacera Power BI connector for workspace fine-grained access-control in Power BI running in Azure. You can set permissions in a Privacera policy depending on the workspace roles : Admin, Member, Contributor, Viewer. Only users and groups from the Azure Active Directory are allowed in Azure Power BI.

Generalized approach for implementing PolicySync

To help you reach compliance, Privacera PolicySync distributes your defined access management policies to the third-party datasources you connect to Privacera.

Use this generalized approach for implementing PolicySync.

  1. Understand how PolicySync works and how it is configured. See PolicySync design and configuration on Privacera.

  2. Decide which PolicySync topology best suits your needs. See PolicySync design and configuration on Privacera.

  3. Create the required, basic PolicySync configuration. See Required basic PolicySync topology: always at least one connector instance.

  4. Examine the BASIC and ADVANCED properties, decide which features you want to implement, and set the necessary values in the .YAML property file.

Connector name: powerbi

When you create the connector as detailed in PolicySync design and configuration on Privacera, use the following reserved word for the name of the connector:

powerbi

In formal syntax shown in Connector instance directory/file structure replace <ConnectorName> with the above and in the example in Required basic PolicySync topology: always at least one connector instance, replace postgres with the preceding.

Prerequisites

Ensure that the following prerequisites are met:

  1. Create a service principal and application secret for the Power BI, and get the following information from Azure Portal. For more information, refer the Microsoft Azure documentation.

    • Application (client) ID

    • Directory (tenant) ID

    • Client Secret

  2. Create a group to assign your created Power BI application to it. This is required because the Power BI Admin API allows only the service principal to be an Azure AD Group.

    Follow the steps in the link given above, and configure the following to create a group and add Power BI as a member:

    1. On the New Group dialog, select security in the Group type, and then add the required group details.

    2. Click Create.

    3. On the +Add members dialog, select your Power BI application.

  3. Configure Power BI Tenant to allow Power BI service principals to read the REST API.

    Follow the steps in the link given above and configure the following:

    1. In the Developer settings, enable Allow service principals to use Power BI APIs.

    2. Select Specific security groups (Recommended), and then add the Power BI group you created above.

    3. In the Admin API Settings, enable Allow service principals to use read-only Power BI admin APIs (Preview). For more information, see the Microsoft Azure documentation - click here.

    4. Select Specific security groups, and then add the Power BI group you created above.

  4. Enable Privacera UserSync for AAD to pull groups attribute ID via the AZURE_AD_ATTRIBUTE_GROUPNAME property described in AAD UserSync connector properties.