Security trim Project data in #ProjectOnline #PowerBI reports #PPM #Odata #REST #BI
I am a Project Server and SharePoint consultant but my main focus currently is around Project Server.
I have been working with Project Server for nearly five years since 2007 for a Microsoft Gold Certified Partner in the UK, I have also been awared with the Microsoft Community Contributor Award 2011.
I am also a certified Prince2 Practitioner.
The reporting API for Microsoft’s PPM solution – Project Online doesn’t filter the data based on the access model in PWA. For some organisations this can be problematic. In this blog post I show a simple report example to filter only projects and project milestones that I have access to in PWA.
In this example I have a very simple Power BI Report that is only using ODATA (_api/ProjectData), the Projects resource path to populate the Projects slicer / filter and the Tasks resource path to populate the Milestones for the selected Project:
I have access to a long list of projects (see the scroll bar on the slicer). Using the Audit Tracking project as an example, I can currently see this project in PWA as shown below:
I will change the access model so I get access denied to this project:
I only see these 6 projects projects in an unfiltered Project Center view:
Yet if I refresh my Power BI report I still see the full list as expected (the ODATA reporting API is not data security trimmed, you either access all data or none). One option is to use the REST (_api/ProjectServer) to filter the datasets that use the ODATA API as the source. The REST API is security trimmed to only show the data you have access to based on the access model in PWA. For example, I will get the list of Projects from REST to populate the Projects slicer / filter in Power BI, this only shows the projects I have access to in PWA. I have added a new data source to my simple Power BI report for the REST API:
The join is then set up on Id from the Projects REST dataset to the ProjectId in the Milestones OData dataset:
I now switch my slicer / filter to use the Projects – REST dataset
As you can see the list of projects matches what I see in the Project Center but there is a also a blank option there. The blank value is for rows it can’t join with on the Milestone ODATA dataset, these are the projects I no longer have permission to access in PWA! To resolve this, select the page and add a report level filter like below where Name is not blank:
This report filter will not show any blank values for the Name field on any visualisation in the report:
The blank value is now removed. My data is now security trimmed to match what I have access to in PWA! Obviously if you know what you are doing you can just undo all of this and see all data but for some it might be a workable solution! You can do the same with Resources too.