Before you enable a custom visual, you should review that visual for security and privacy to make sure if will fit your organization's standards.
A custom visual could contain code with security or privacy risks; therefore, a custom visual in the report is disabled until you choose Enable custom visuals. Here are some considerations to decide whether to enable a custom visual:
Ensure you trust the author and the source of the custom visuals used in the report
If you are unsure what to do, you should reach out to your IT team to weigh in on whether you should enable custom visuals for reports you view.
If someone shares a report with you that contains a custom visual, even if they're a close co-worker, do not feel obligated to enable the custom visual. It's okay to step back and consider whether it is essential to the task at hand. It's always okay to ask someone to provide you a report without custom visuals if you don't feel confident about the custom visual.
A custom visual could contain code with security or privacy risks; therefore, a custom visual in the report is disabled until you choose Enable custom visuals. There are several best practices you can follow to evaluate a custom visual for security and privacy.
Save the .pbiviz file to a folder.
Rename the file to a .zip file.
Extract the zip file to a local folder.
The following are the contents of a pbiviz file:
|./package.json||A manifest file that indicates which files to load for the custom visual.|
|./resources/<name>||<name> is the name of the custom visual.|
|./resources/<name>.css||The css resource file for the custom visual.|
|./resources/<name>.png||The icon shown to the user for the visual.|
After you extract the pbiviz file, you can evaluate the code. Here are some best practices and threats to look for.
Always evaluate the .js file contents. This is the code that actually runs. It could be that the contents of the .ts file don't compile to the .js file included in the custom visual.
Always evaluate the .ts file contents. You can load the .ts file into the Developer Tools, export the visual and compare the resulting .js file in the newly create .pbiviz file to the original .js file contained in the visual
Check that the icon for the custom visual does not resemble too closely other visuals the user is familiar with.
Always evaluate the visual in a test account that has minimal privileges and does not have access to any sensitive data. Ideally the test account would be a local account with no sign-in information to services other than Power BI.
Check network activity when the visual is being used in both edit and view mode. Ensure you're satisfied with the requests that are being made. You should not see requests to resources outside the Power BI domain unless the visual author has communicated this ahead of time.
Any data you see leaving the Power BI domain should match your expectations for what 'normal' use would be. For example - if the visual implements a video player that uses an iFrame to view a video from another site, some information should travel in the IFrame requests to render the video correctly. However, if you see the entire data set being sent across the wire, you might investigate further if this is required and desired.
Check if personally identifiable data is being sent or stored by the custom visual.
Check if the custom visual is trying to access local machine resources such as writing files to disk or accessing cookies.
Check if the custom visual has what appears to be obfuscated code or code without a clear purpose.
Save copies of each visual you reviewed in the past.
If you are reviewing an update to a visual you previously reviewed, ensure to check for changes. Always apply equal rigor to updates as you did the first time you received the visual for review
If you find something suspicious or unclear, please reach out to us we're here to help.
Visualizations in Power BI
Custom Visualizations in Power BI
Download and use custom visuals from the Office store
Add a custom visualizations to a report (Power BI Desktop)
Add a custom visualization to a report (Power BI Service)
Publish custom visuals to the Office store
Getting started with custom visuals developer tools
Video: Creating custom visualizations for Power BI with Sachin Patney and Nico Cristache
More questions? Try the Power BI Community