Security¶

Security in the AaaS architecture is covered in multiple areas, namely:

Azure Data Lake Gen 2¶

ADLG2 is the type of storage used for storing parquet files. A storage account per environment (DEV, UAT, PROD) is available. Within a container in the storage account, folders are available per Area, and data sources are available within the Area folder (folder per Parquet Data Source). Data sources can be created in each of the Area folders. There is also a Shared folder which is used for Shared Dim/Fact/Views (i.e. common data sources for multiple models). A Parquet Data Source is mapped to a view or table in Oracle. Each time when the data is loaded, the .parquet file will be overwritten ( Full load overwrites the whole table while Incremental load overwrites the Changed partitions and New partitions are loaded).

To access these ADLS Gen 2 folders and connect to a Parquet Data Source, users with the necessary permission set are required to obtain a Shared Access Signature token (SAS token) to whitelist their IPs. As this ADLS Gen 2 is NOT publicly available, this is a security measure that is implemented, in order to maintain a secured Data Lake. The SAS token allows users the ability to access the Data Lake.

Managed Identities¶

Azure Managed Identity is a feature provided by Microsoft Azure. It provides enhanced security cloud applications. With Managed Identity, there are no explicit credentials (such as client secrets) to manage, as with Service Principles. Unlike Service Principles, Managed Identity credentials are automatically renewed, thus removing the manual step of credential rotation, potentially causing system downtime. Managed Identity removes the potential exposure of credentials outside of Azure.

Managed Identity eliminates the need for developers to manage credentials by providing an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication.

Row Level Security¶

When a client asks for an embed token the Power BI Embedded service reads the user identity of the Open ID Connect token and includes this in the request to create an embed token. The way an identity needs to be created is dependent on the data source (Power BI Import mode, AAS mode, or SSAS mode all with or without RLS).

The below table shows how an effective identity is created in the Import scenario.

For Power BI Import with RLS (ImportWithRls): - Username - The claim of the open id connect token as configured in the environment variable “usernameClaim” - Dataset of the report - Roles-“EmbedUser” or specific value of Role - customData-NULL

For Power BI Import without RLS (6, ImportNoRls ): Do not pass in an effective identity.

Shared Access Signature Token¶

During an Analysis Model customization process, or, when creating a Model, a Shared Access Signature Token (SAS Token) is required to to access the Azure Data Lake Gen 2 container to consume the .parquet files as data sources in Power BI Desktop

Permission Sets¶

Permission sets are used to grant users access to the relevant pages within IFS Cloud Web. Currently, there are three permissions sets to cover: - A system administrator(AAAS_ADMINISTRATOR), - SAS Token generation(AAAS_DL_USER) to generate SAS Token, and - Upload Model(AAAS_UPLOAD_USER) who can upload models