microsoft / powerbi-data-access-auditing Goto Github PK

Clicking Refresh Data via the web app does not result in the report data being loaded.

Observation

The message to refresh data is being placed into the "app-trigger-queue" queue but the PowerBiDataSetProcessor_QueueStart function is triggered on a queue named "app-trigger-data-refresh"

We need the ability to control the size of the audit payload and the amount of data displayed at anyone point in time. Therefore, we need to implement the ability to "throttle" individual data requests. Suggested is to scan each data request and modify it to ensure that the number of records selected is below a configurable limit.

• Create and implement automated process to analyze the new data coming from #4 and auto populate / update the configuration datastore for the auditing web application
• Content to be part of the Auditing application is to be identified based on workspace & report naming conventions
• Check that no "auditable" reports have been given access in power bi service (only the Audit app service principal should be given access)

• Implement appropriate datastore
• Implement front end screens to allow administrators to update the configuration within the datastore.

The post-capture JSON processing routines will only support certain types of data request. Therefore we need to scan for non-supported data request types and block these from being passed through to the PBI service.

• Should notify the end user via email that their request is blocked.

The application needs to be upgraded to support a security model with the following features:

• Must allow for various AAD groups to be granted or denied access to each report
• This should be added to the model contained in the structure of the "reports" section of the appsettings.json
• Security model should map users to an "effectiveuser". Effectiveuser will be passed through to PowerBi and used in Row Level Security.

Current "Report" model in appsettings.json:

"Reports": [{
                "UniqueId": 1,
                "DisplayLevel": 1,
                "DisplayName": "Offenders Report",
                "WorkspaceId": "{SampleWorkSpaceId}",
                "Description": "This is the offender report",
                "ReportId": "{SampleReportId1}",
                "DrillThroughReports": [2],
                "RequiredParameters": [],
                "PaginationTable": "",
                "PaginationColumn": ""
            },
            {
                "UniqueId": 2,
                "DisplayLevel": 2,
                "DisplayName": "Offender PII Report",
                "WorkspaceId": "{SampleWorkSpaceId}",
                "ReportId": "{SampleReportId2}",
                "Description": "This is the offender PII report",
                "DrillThroughReports": [],
                "RequiredParameters": ["OffenderId"]
            },
            {
                "UniqueId": 3,
                "DisplayLevel": 1,
                "DisplayName": "Offenders Report 2",
                "WorkspaceId": "{SampleWorkSpaceId}",
                "Description": "This is the offender report",
                "ReportId": "{SampleReportId1}",
                "DrillThroughReports": [2],
                "PaginationTable": "",
                "PaginationColumn": ""
            },
            {
                "UniqueId": 3,
                "DisplayLevel": 1,
                "DisplayName": "Offenders Report 3",
                "WorkspaceId": "{SampleWorkSpaceId}",
                "Description": "This is the offender report",
                "ReportId": "{SampleReportId1}",
                "DrillThroughReports": [2],
                "PaginationTable": "",
                "PaginationColumn": ""
            }
        ]

• Must be decoupled from audit capture process
• Must at a minimum decompress data sets and "flatten" multidimensional results into a tabular form
• Support for max of 5 data request types at this stage
• Must be built to scale out and handle large number of audit files
• Must provide email alert on failure

This looks amazing.

Is any part of this relevant to orgs using Report Server?

Download of Power Bi metadata & telemetry from the Power BI Admin API to Azure Storage:

• Must provide list of all power bi reports in tenant
• Must provide list of all power bi datasets in tenant
• Must provide list of all power bi workspaces in tenant
• Must provide list of all power bi dashboards in tenant
• Must provide list of all power bi dataflows in tenant
• Must allow for incremental & full load
• Must provide history of all usage activity available from the power bi admin api (eg Report Views etc) .