Technical questions
PreviousI don't have an Azure account to contract the capacityNextHow does Power Embedded work internally?
Last updated
Last updated
The internal workings of Power Embedded for displaying reports are described below:
1) Power Embedded checks if the logged in user can access the report and sends the data to apply the RLS (if any).
2) Power Embedded authenticates to the Azure API and retrieves a token for authentication
3) Power Embedded sends the necessary metadata to the Power BI APIs (Workspace, Report and Dataset IDs)
4) Power BI API loads the data that is stored in the workspaces and the report
5) Power BI API assembles the iframe element pointing to the ready-made report and returns it to the system
6) Power Embedded displays the returned iframe to the user. NO report data is read, accessed, stored or trafficked by the system's servers
The internal workings for importing Power BI reports into Power Embedded are described below:
1) Power Embedded interacts with the Power BI API's
2) API returns the metadata required for display (Workspace, Report and Dataset IDs)
3) Power Embedded stores the returned metadata
4) Administrator manages permissions, RLS, folder structure and other report attributes
5) NO personal data is stored by Power Embedded, only the users' email and name.
6) NO report data is stored or travels over the network, or through Power Embedded's servers.
Power Embedded's internal security is extremely robust and the system uses an entire architecture based on self-managed SaaS resources in Azure, where management is done by Microsoft, automatic backups and high availability of the application and database by availability zones with automatic failover and guaranteed availability of 99.99%.
The system is subjected to various complex pentests on a regular basis, both automatic ones carried out by pentest tools and manual validations and tests carried out by security specialists from contracted companies.
The entire cloud environment is protected by Microsoft Defender for Cloud, which provides proactive and continuous protection, analysis and recommendations.
Access to Azure resources is blocked to the internet and only accessible via VPN.
Communication between the system and the browser is encrypted using SSL certificates (HTTPS).
The Power BI access key is stored in the database encrypted using the most secure algorithm on the market (RSA-OEAP) and various protection mechanisms to ensure that even in the event of improper access to the database, this key cannot be decoded, since access to the security key for decryption (which is individual per client) is stored in an Azure KeyVault where only the application has permission and connectivity to access.
The public API key is encrypted using a HASH algorithm that does not allow recovery of the generated value, just like the secret of a KeyVault.
The process of embedding the reports in the system does not require loading or reading any data from our clients.
All the data is stored on the Power BI servers themselves, in a dataset published in a workspace, and the system simply uses the Power BI API to render the report (also published in the workspace) within the system.
So we don't read or collect any information, we just make an HTTP call to the Power BI API, which reads the data and displays it on the screen.
The only company data that is stored are the names and emails of the users registered in the system, to manage access.
In terms of security, all Power Embedded communication is encrypted end-to-end, using SSL and HTTPS security, as well as Azure Firewall and various Azure security mechanisms.
Although the 3 options allow you to embed reports in websites, sharepoint, e-mail, teams, etc., they are quite different.
This is a license per capacity, which allows you to view reports securely, with permissions, RLS, OLS, access audits, IP blocks, etc., through an application, without the need for the viewer to have a Power BI license, and to control all the visuals, colors, themes, pages and components of the reports using programming language.
This is a way of sharing reports on websites, applications, sharepoint, teams, etc. securely, while maintaining all Power BI security controls, such as permissions, RLS, OLS and access audits.
Unlike Embedded, in this sharing mode, all users who will access the report need to have a Pro or PPU license (or Premium capacity).
In addition, you can NOT control the elements of the report via programming language to dynamically create/edit visuals, change themes, create/delete pages, etc...
This is a way of sharing reports for free, without the person viewing them needing to have a Power BI account or license. It works very well when you need to share reports that contain public data, i.e. there is no concern about data leakage.
Unlike Embedded, in “Publish to Web” there is no security: anyone who has access to the report link will view it, without any user-level control, such as RLS or OLS, there is no need for the viewer to be registered in any application and there is no audit to know who is viewing the report. Anyone can be viewing your company's data and you won't know who.
What's more, as has already been widely publicized on the Internet, all reports published in this way can be accessed through simple Google queries, even if the link has never been published anywhere.
Even if you try to block access by using a password to open the portal, this type of mechanism is easily broken in a few seconds using the browser's Developer Tools option and the person will have unrestricted access to the data published in the report.
The process of importing and publishing reports in Power Embedded is practically the same as in the traditional Power BI service:Comment
User opens Power BI Desktop and creates the report.Comment
User publishes the report in the desired workspace.Comment
Power Embedded administrator imports the report from the Power BI workspace into the system.
Power Embedded administrator assigns permissions via group or individual user.
Power Embedded administrator defines the RLS rules for the dataset (if any).
User accesses the report via the Power Embedded Visualization Portal.
Power Embedded is a very dynamic system, and our team is always attentive to our customers' requests and needs, as well as to new features made available by Microsoft.
We have a very fast development and deployment time, which allows us to carry out 2 to 5 updates of improvements and new features per week.
Whenever a feature or improvement is implemented, we automatically apply it and make it available free of charge to all our clients.
If you request a change to Power Embedded and the customization cannot be applied to other customers and will be restricted to your company only, we will schedule a meeting with your team to better understand your needs and we will send you a commercial proposal to implement this customization in the system.
If your suggestion/idea can be applied to other clients, there is no charge for development.
