Security trim Project data in #ProjectOnline #PowerBI reports #PPM #Odata #REST #BI

December 9, 2016 at 1:29 pm | Posted in Add-on, Administration, Configuration, Customisation, Functionality, Information, Reporting | 5 Comments
Tags: , , , , , , ,

The reporting API for Microsoft’s PPM solution – Project Online doesn’t filter the data based on the access model in PWA. For some organisations this can be problematic. In this blog post I show a simple report example to filter only projects and project milestones that I have access to in PWA.

In this example I have a very simple Power BI Report that is only using ODATA (_api/ProjectData), the Projects resource path to populate the Projects slicer / filter and the Tasks resource path to populate the Milestones for the selected Project:

image

I have access to a long list of projects (see the scroll bar on the slicer). Using the Audit Tracking project as an example, I can currently see this project in PWA as shown below:

image

I will change the access model so I get access denied to this project:

image

I only see these 6 projects projects in an unfiltered Project Center view:

image

Yet if I refresh my Power BI report I still see the full list as expected (the ODATA reporting API is not data security trimmed, you either access all data or none). One option is to use the REST (_api/ProjectServer) to filter the datasets that use the ODATA API as the source. The REST API is security trimmed to only show the data you have access to based on the access model in PWA. For example, I will get the list of Projects from REST to populate the Projects slicer / filter in Power BI, this only shows the projects I have access to in PWA. I have added a new data source to my simple Power BI report for the REST API:

image

The join is then set up on Id from the Projects REST dataset to the ProjectId in the Milestones OData dataset:

image

I now switch my slicer / filter to use the Projects – REST dataset

image

As you can see the list of projects matches what I see in the Project Center but there is a also a blank option there. The blank value is for rows it can’t join with on the Milestone ODATA dataset, these are the projects I no longer have permission to access in PWA! To resolve this, select the page and add a report level filter like below where Name is not blank:

image

This report filter will not show any blank values for the Name field on any visualisation in the report:

image

The blank value is now removed. My data is now security trimmed to match what I have access to in PWA! Obviously if you know what you are doing you can just undo all of this and see all data but for some it might be a workable solution! You can do the same with Resources too.

Advertisements

5 Comments »

RSS feed for comments on this post. TrackBack URI

  1. It’s also possible to merge the two queries you have made, and in the query editor, filter on the REST query’s column to show only those with values, that way the whole report is filtered at the query stage.

    This makes the dataset more secure – so that if someone made their own report from the dataset, they wouldn’t be able to see non-permissioned projects.

    Great article and useful as ever!

    • Thanks Daniel – yes that is the other option and part two for this blog post that I started on Friday after publishing this one. I hope to get that published this week or even later today!

      • Ah! Sorry for the spoiler!!

      • No problem!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: