Skip to main content

Power BI + Denodo = End-to-end security through Single Sign-On (SSO)

Headshot of article author Kay Unkroth

Power BI is changing the game for modern enterprise BI by seamlessly integrating with cutting-edge big data, data warehouse, and data virtualization technologies, such as Denodo. The Denodo platform uses data virtualization on-premises and in the cloud to facilitate the adoption of a logical architecture or data fabric that can help to boost the productivity of Power BI report authors and business users through self-service data discovery and search.

One of the key elements of seamless integration between Power BI and Denodo is support of Single Sign-On (SSO). SSO lets you enforce end-to-end access controls and security at all layers of the stack, from Power BI, through Denodo, all the way to the data sources. For example, you can enforce security and governance rules in Denodo, across on-prem and cloud data sources, and take advantage of a Denodo-based semantic layer comprised of data views that can conform to an enterprise canonical model that adheres to the semantics and naming conventions of your organization. In other words, rather than living with decentralized security management at each individual data source, you can use Denodo as a centralized security layer across multiple enterprise data sources while at the same time standardizing your enterprise BI landscape on Power BI.

Power BI report authors typically connect to Denodo from Power BI Desktop. The Denodo connector is available in the Get Data dialog under the Database category. As the following screenshot illustrates, the Denodo connector supports Import and DirectQuery mode, the latter being suitable for data at cloud scale because it avoids massive data imports. It is also the right choice for interactive reports on live data that can’t wait for scheduled data refreshes to finish. When a Power BI user interacts with a DirectQuery report to Denodo, Power BI sends the data queries to the Denodo virtualization layer, which forwards the queries to the actual data sources and delivers the query results back to Power BI.

SSO enters the picture when a DirectQuery report is published to the Power BI service. The report requires access to the data, which requires a data source definition for Denodo so that the Power BI service can connect to and query the data source. In DirectQuery mode, every report interaction results in data queries, and with SSO enabled in the data source configuration, the identities of the report users can flow with the data queries so that you can enforce personalized security restrictions in Denodo, as mentioned earlier.

The Power BI service communicates with Denodo by using a Power BI data gateway. On-premises, Denodo relies on Kerberos and Active Directory for security integration, and the data gateway can translate Power BI user identities into Active Directory user identities. The mechanism is the same as for other on-premises data sources supporting SSO, such as Microsoft SQL Server. The data gateway uses the User Principal Name (UPN) of the Power BI user to lookup the corresponding user account in Active Directory, which it then uses to establish the on-prem security context to connect to the data source, in this case Denodo. Denodo therefore knows who the user is and only provides access to the underlying data sources that the user has permissions to access, as in the following diagram.

Enterprise customers typically use Azure AD Connect to synchronize Azure AD (Power BI) user accounts with on-premises Active Directory. This ensures that the UPNs of the Power BI users are correctly mapped to their Active Directory counterparts. With this in place, Denodo can now be indeed the centralized layer of security authorization rules for every single user based on the virtual views published in Denodo. According to user permissions, Denodo can allow or reject queries, mask certain fields, and limit access to specific rows or columns, and so forth.

It is gratifying to see how the collaboration between Power BI and Denodo enables our mutual customers to connect Power BI more seamlessly to Denodo. The latest improvements help to establish end-to-end security through SSO and unblock enterprise organizations that use or are planning to use Denodo to standardize their enterprise BI landscape on Power BI. Stay tuned for even more improvements and innovations from Power BI and Denodo in the future!

For more information on how to use Power BI and Denodo, check out one of the following resources: