Skip to main content

Security Best Practices

Administrator

DataCentral is designed with security at its core, leveraging Microsoft Entra ID and Power BI's robust isolation mechanisms. However, the ultimate security of your data depends on how you configure and manage your Tenant.

This guide outlines the best practices for securing your DataCentral environment.

1. Identity and Authentication

The strongest defense against unauthorized access is a robust identity strategy.

  • Enforce Entra ID (Azure AD): Whenever possible, require all internal employees and external partners to log in using their Microsoft credentials. This allows you to leverage your organization's existing Conditional Access policies.
  • Mandate Multi-Factor Authentication (MFA): If you use Entra ID, ensure MFA is enforced for all users accessing DataCentral. If you must use User Pass (local credentials), strongly consider limiting those accounts to non-sensitive reports or enforcing IP restrictions.
  • Disable Unused Login Methods: If your Tenant only uses Entra ID, disable the User Pass and Mobile ID authentication options in your Tenant Settings to reduce the attack surface.

2. Role-Based Access Control (RBAC)

Implement the principle of least privilege when assigning roles.

  • Use Organizational Units (OUs): Instead of assigning roles to individual users, map Entra ID security groups to DataCentral OUs, and assign roles to the OUs. This ensures that when an employee leaves the company or changes departments, their DataCentral access is automatically updated via the Entra ID sync.
  • Audit Role Assignments: Regularly review your Report Roles and RLS Roles to ensure they grant only the necessary access. Remove users or OUs that no longer require access to specific Workspaces or reports.
  • Limit Tenant Administrators: Only grant the Tenant Administrator role to users who absolutely require it to manage the platform. The vast majority of users should only have Report Viewer roles.

3. Row-Level Security (RLS)

RLS is critical for multi-tenant or highly sensitive data models.

  • Implement Smart RLS: For complex organizational hierarchies, use DataCentral's Smart RLS feature to dynamically filter data based on a user's position in the OU tree, rather than managing hundreds of static RLS roles.
  • Test RLS Thoroughly: Before rolling out a new report, log in as a test user with specific RLS roles to verify that the data is filtered correctly and no sensitive information is leaked.
  • Avoid "Catch-All" Roles: Be extremely careful when creating RLS roles that grant access to all data (e.g., a "Global View" role). Ensure these are only assigned to authorized executives or auditors.

4. Managing External Sharing

DataCentral makes it easy to share data externally, but this must be done securely.

  • Use Secure Links over Report Keys: When sharing static exports, always use Secure Links (which require authentication and enforce RLS) rather than downloading a PDF and emailing it.
  • Treat Report Keys like Passwords: If you generate a Report Key for a public dashboard or digital signage, treat that URL as a sensitive credential. Do not post it in public forums or unsecured documents.
  • Set Expiration Dates: When generating Report Keys or Secure Links for temporary access, always set an expiration date so the access is automatically revoked when no longer needed.
  • Regularly Audit Links and Keys: Periodically review the active Report Keys and Secure Links in your Administration portal and revoke any that are no longer in use.

5. API and Automation Security

If you use DataCentral's advanced developer features, secure your integrations.

  • Rotate Service Principal Secrets: Client Secrets for your Entra ID App Registrations (Authentication and Graph) and Power BI Service Principals expire. Proactively generate new secrets in Azure and update them in DataCentral before they expire.
  • Secure Webhooks: When configuring Action Tasks, ensure the receiving endpoint (e.g., your Logic App or Zapier webhook) requires authentication (like an API key or bearer token) and use HTTPS to encrypt the payload in transit.
  • Restrict DAX Query Tasks: Only grant access to DAX Query Tasks to advanced analysts or developers who require raw data extracts, as these tasks bypass the visual layer and can pull large volumes of data.

6. Monitor the Audit Log

  • Review Regularly: Make it a habit to review the DataCentral Audit Log for suspicious activity, such as repeated failed logins, unusual export volumes, or unexpected role changes.
  • Export for Compliance: If your organization is subject to compliance regulations (like SOC 2 or GDPR), regularly export the audit log and store it in your secure archival system.