Skip to main content

How DataCentral Works

DataCentral acts as a secure proxy and management layer between your data sources (like Power BI) and your end users. It handles authentication, authorization, and the actual rendering of the reports in a white-labeled, customizable interface.

This page provides a high-level overview of the system architecture and the flow of data.

1. The Architecture

DataCentral is built on a multi-tenant architecture designed to scale from small businesses to enterprise deployments.

The Host Instance

At the top level is the DataCentral Instance. This is the core infrastructure that hosts the application, manages the database connections, and routes traffic to the correct tenant subdomains.

The Tenants

Inside the instance are Tenants. Each tenant is a completely isolated environment with its own:

  • Subdomain (e.g., partner.datacentral.ai)
  • User directory
  • Roles and Organizational Units (OUs)
  • Power BI Workspace connections
  • Branding and UI settings

The Data Layer

DataCentral does not store your raw business data. Your data remains securely in your existing data warehouse or Power BI datasets. DataCentral only stores the metadata required to manage access (users, roles, workspace IDs, report IDs, and audit logs).

2. The Authentication Flow

When a user attempts to view a report, DataCentral orchestrates a secure handshake between the user, the DataCentral platform, and Microsoft Azure.

  1. User Login: The user navigates to the tenant URL and logs in. They can authenticate using Entra ID (Azure AD), a local User Pass, or Mobile ID.
  2. Role Resolution: DataCentral checks its internal database to determine which Organizational Units (OUs) the user belongs to, what reports they are allowed to see (Report Roles), and what data slice they are authorized to view (RLS Roles).
  3. Token Generation:
    • If the user is using Entra ID and has their own Power BI Pro license, DataCentral requests an embed token on their behalf.
    • If the user is a User Pass or Mobile ID user (or an Entra ID user without a Pro license), DataCentral uses a configured Service Principal to request an embed token from Power BI. This is known as "App Owns Data" embedding.
  4. Report Rendering: Power BI returns a secure, time-limited embed token that includes the user's Row-Level Security (RLS) parameters. DataCentral uses this token to render the report securely in the user's browser.

3. The Administration Flow

Administrators manage the tenant through the DataCentral UI or via the REST API.

  1. Connect Workspaces: The admin configures a Service Principal in Azure and grants it access to the relevant Power BI workspaces.
  2. Import Items: The admin uses the DataCentral UI to browse the connected workspaces and import Reports, Dashboards, or Apps into the tenant.
  3. Configure Security: The admin defines Roles and assigns them to the imported items. If the underlying dataset uses Row-Level Security, the admin maps DataCentral Role Codes to the Power BI roles.
  4. Manage Users: The admin invites users (or syncs them automatically from Entra ID security groups) and assigns them to the appropriate Organizational Units and Roles.

Summary

DataCentral separates the management of users and access from the creation of the reports. Your data analysts continue to build reports in Power BI Desktop as usual. Your administrators use DataCentral to securely distribute those reports to the right people, at scale, without writing custom code or managing complex Azure infrastructure.