Blog Post

Microsoft Security Community Blog
2 MIN READ

Data Policy features: Accessing data when folder level permission is granted

Blesson_John's avatar
Blesson_John
Icon for Microsoft rankMicrosoft
Feb 05, 2022
In the Data Policy features: Accessing data when file level permission is granted - Microsoft Tech Community blog, we looked at how users can work with files when file level access is granted. This b...
Updated Sep 21, 2022
Version 11.0
microsoft purview
sumani's avatar
sumani
Icon for Microsoft rankMicrosoft
Oct 13, 2022

Scenario : User want to load file "example.csv" in PowerBI. Ex :

 

Self service polices :

 

 

 

If the user have only Policy "2":

When he try to load the file in PowerBI Desktop, it will fail with (403) Forbiden. This happens because policy do not provide "Execute" permission for full path up to this asset.

In this scenario, if he try the "Open in PowerBI Desktop" button from Purview (See first screenshot), it will work !

 

If user have policy "1" + "2" :

This time user can read the full container. Now, connecting PowerBI to example.csv works fine:

 

Suggestion: When a user ask for READ access for an asset, "Execute" permission should be automatically assigned for the full path + "Read" on asset.

Otherwise, in the scenario presented above, user will be able to read everything from container "policy", not only the example.csv.

 

The issue is not self-service related. It is to do with granting execute permission on the path.
We deal with Blob Store + ADLS Gen 2 for the same file in storage. Execute comes into picture for ADLS Gen2.
'Execute' is not a valid action so far in our roles. 

'Execute' permission to be managed from Posix ACLs. It is not governed by RBAC or Purview ABAC and there is no corresponding data action for it. 

https://datasavvy.me/2021/02/04/granting-adls-gen2-access-for-power-bi-users-via-acls/
EXECUTE permision can be set via Posix ACLs only.

 

The datalake file has the right permissions but is important to note that we have another component here which is pureview. This is not a problem that is not working with Power Bi, it does but not by connecting from scratch using the datalake connector. Below the working scenarios:

  • If we download the pbix from the pureview file site, the pbix is downloaded with the M query already set. This is working, if we also try to copy this M query in another pbix by creating a connection using a blank query, it works. Below the M query

let
    Source = AzureStorage.DataLakeContents("https://purviewpolicy.dfs.core.windows.net/policy/example.csv"),
    #"Imported CSV" = Csv.Document(Source,[Delimiter=",", Columns=3, Encoding=1252, QuoteStyle=QuoteStyle.None]),
    #"Changed Type" = Table.TransformColumnTypes(#"Imported CSV",{{"Column1", type text}, {"Column2", type text}, {"Column3", type text}})
in
    #"Changed Type"

  • If we try a simpler M query and create a connection from blank query, it works. Below the M

let
    Source = AzureStorage.DataLakeContents("https://purviewpolicy.dfs.core.windows.net/policy/example.csv")
in
    Source

  • If we attempt to connect using Get Data > Datalake Gen 2 connector, it fails with forbidden error .

 

As of now this is as per design please refer :-  https://learn.microsoft.com/en-us/power-query/connectors/datalakestorage