With the release of the Power BI Gateway, it is now possible to publish specific data sources for the entire organization. The gateway works in both live connect (data stored on premises) and refresh (cached data stored in the Power BI service) scenarios. A variety of data sources are supported by the gateway including SQL Server Anlalysis Services (SSAS).
SSAS was previously supported by the SSAS connector which has now been deprecated in favour of the Enterprise Gateway. This certainly helps with understanding and complexity, but it does raise one particular concern around data security which you should be aware of.
When a data source is published, credentials are provided that the gateway will use to connect to the data source. All users that use the published data source will connect to it with those credentials. This proxy account will be used for all users and should therefore be a least privilege account – it should have no more access to data than needed. However, there is one data source that notably does not work this way – SSAS.
SSAS employs the EffectiveUserName feature to provide fine grained permissions to data in the model. With EffectiveUserName, the proxy account is used only to establish the initial connection to the SSAS server, and all queries are executed with the permissions of the consuming user, allowing the data to be security trimmed.
However, in order to use EffectiveUserName, the proxy account needs to have the highest permission level within Analysis Services – Administrator. This is the exact opposite of the account criteria for all other data sources. What is important is to understand these criteria in order to not unwittingly open up data to the wrong audience. If an admin level account were used as proxy for a SQL Server data source, potetially sensitive data could be exposed to the wrong users.
In a nutshell, the thing to remember is simply to always use a least privilege account for all data sources except for SSAS, which needs an admin level account.
3 Comments