Power BI 安全性白皮書Power BI security whitepaper

摘要: Power BI 是 Microsoft 提供的線上軟體服務(SaaS或軟體即服務),可讓您輕鬆快速地建立自助商業智慧儀表板、報表、資料集和視覺效果。Summary: Power BI is an online software service (SaaS, or Software as a Service) offering from Microsoft that lets you easily and quickly create self-service Business Intelligence dashboards, reports, datasets, and visualizations. 使用 Power BI,您可以連線到許多不同的資料來源、結合與塑造來自這些連線的資料,然後建立與其他人共用的報表和儀表板。With Power BI, you can connect to many different data sources, combine and shape data from those connections, then create reports and dashboards that can be shared with others.

寫入器: David IsemingerWriter: David Iseminger

技術審核者: Pedram Rezaei、Cristian Petculescu、Siva Harinath、Tod Manning、Haydn Richardson、Adam Wilson、Ben Childs、Robert Bruckner、Sergei Gundorov、Kasper de JongeTechnical Reviewers: Pedram Rezaei, Cristian Petculescu, Siva Harinath, Tod Manning, Haydn Richardson, Adam Wilson, Ben Childs, Robert Bruckner, Sergei Gundorov, Kasper de Jonge

適用物件: Power BI SaaS、Power BI Desktop、Power BI Embedded、Power BI PremiumApplies to: Power BI SaaS, Power BI Desktop, Power BI Embedded, Power BI Premium

注意

您可以儲存或列印此白皮書,方法是選取瀏覽器中的 [列印],然後選取 [另存為 PDF]。You can save or print this whitepaper by selecting Print from your browser, then selecting Save as PDF.

簡介Introduction

Power BI是 Microsoft 提供的線上軟體服務(_SaaS_或軟體即服務),可讓您輕鬆快速地建立自助商業智慧儀表板、報表、資料集和視覺效果。Power BI is an online software service (SaaS, or Software as a Service) offering from Microsoft that lets you easily and quickly create self-service Business Intelligence dashboards, reports, datasets, and visualizations. 使用 Power BI,您可以連線到許多不同的資料來源、結合與塑造來自這些連線的資料,然後建立與其他人共用的報表和儀表板。With Power BI, you can connect to many different data sources, combine and shape data from those connections, then create reports and dashboards that can be shared with others.

Power BI 服務受 Microsoft Online Services 條款Microsoft 隱私權聲明制約管轄。The Power BI service is governed by the Microsoft Online Services Terms, and the Microsoft Enterprise Privacy Statement. 如需資料處理的位置,請參閱 Microsoft Online Services 條款中的資料處理位置條款。For the location of data processing, refer to the Location of Data Processing terms in the Microsoft Online Services Terms. Microsoft 信任中心是 Power BI 有關合規性資訊的主要資源。For compliance information, the Microsoft Trust Center is the primary resource for Power BI. Power BI 小組致力於為客戶創造最新的創新和生產力。The Power BI team is working hard to bring its customers the latest innovations and productivity. Power BI 目前位於 Microsoft 365 合規性架構的第 D 層。Power BI is currently in Tier D of the Microsoft 365 Compliance Framework. 深入瞭解Microsoft 信任中心的合規性。Learn more about compliance in the Microsoft Trust Center.

本文透過 Power BI 架構的說明來描述 Power BI 安全性,並說明使用者如何向 Power BI 驗證以及建立資料連線,然後描述 Power BI 如何透過服務儲存及移動資料。This article describes Power BI security by providing an explanation of the Power BI architecture, then explaining how users authenticate to Power BI and data connections are established, and then describing how Power BI stores and moves data through the service. 最後一節專門針對安全性相關問題,為每個問題提供答案。The last section is dedicated to security-related questions, with answers provided for each.

Power BI 架構Power BI Architecture

Power BI 服務是建置在 Microsoft 的雲端運算平台Azure 上。The Power BI service is built on Azure, which is Microsoft's cloud computing platform. Power BI 目前部署在世界各地的許多資料中心,向這些資料中心服務的客戶提供許多主動部署,以及作為每個主動部署備份使用之同等數目的被動部署。Power BI is currently deployed in many datacenters around the world – there are many active deployments made available to customers in the regions served by those datacenters, and an equal number of passive deployments that serve as backups for each active deployment.

每個 Power BI 部署均由兩個叢集組成:Web 前端 (WFE) 叢集和後端叢集。Each Power BI deployment consists of two clusters – a Web Front End (WFE) cluster, and a Back-End cluster. 這兩個叢集如下圖所示,為本文其餘部分的背景。These two clusters are shown in the following image, and provide the backdrop for the rest of this article.

WFE 和後端

Power BI 使用 Azure Active Directory (AAD) 來驗證與管理帳戶。Power BI uses Azure Active Directory (AAD) for account authentication and management. Power BI 也會使用Azure 流量管理員(ATM) ,將使用者流量導向至由用戶端嘗試連接的 DNS 記錄所決定的最近資料中心,以便進行驗證程式及下載靜態內容和檔案。Power BI also uses the Azure Traffic Manager (ATM) to direct user traffic to the nearest datacenter, determined by the DNS record of the client attempting to connect, for the authentication process and to download static content and files. Power BI 使用地理位置最接近的 WFE,有效率地將必要的靜態內容和檔案散發給使用者,但使用Azure 內容傳遞網路(CDN) 傳遞的 Power BI 視覺效果除外。Power BI uses the geographically closest WFE to efficiently distribute the necessary static content and files to users, with the exception of Power BI visuals which are delivered using the Azure Content Delivery Network (CDN).

WFE 叢集The WFE Cluster

WFE 叢集管理 Power BI 的初始連接和驗證程序,其使用 AAD 驗證用戶端並提供權杖,以便進行 Power BI 服務的後續用戶端連接。The WFE cluster manages the initial connection and authentication process for Power BI, using AAD to authenticate clients and provide tokens for subsequent client connections to the Power BI service.

WFE 叢集

當使用者嘗試連線到 Power BI 服務時,用戶端的 DNS 服務可與 Azure 流量管理員通訊,尋找具有 Power BI 部署的最近資料中心。When users attempt to connect to the Power BI service, the client's DNS service may communicate with the Azure Traffic Manager to find the nearest datacenter with a Power BI deployment. 如需此程序的詳細資訊,請參閱適用於 Azure 流量管理員的效能流量路由方法For more information about this process, see Performance traffic routing method for Azure Traffic Manager.

距離使用者最近的 WFE 叢集負責管理登入和驗證序列 (本文稍後會加以描述),並在驗證成功之後向使用者提供 AAD 權杖。The WFE cluster nearest to the user manages the login and authentication sequence (described later in this article), and provides an AAD token to the user once authentication is successful. WFE 叢集內的 ASP.NET 元件會剖析要求,以判斷使用者所屬的組織,然後諮詢 Power BI 全域服務The ASP.NET component within the WFE cluster parses the request to determine which organization the user belongs to, and then consults the Power BI Global Service. 全域服務是全球所有 WFE 和後端叢集間共用的單一 Azure 資料表,可將使用者和客戶組織對應到裝載其 Power BI 租用戶的資料中心。The Global Service is a single Azure Table shared among all worldwide WFE and Back-End clusters that maps users and customer organizations to the datacenter that houses their Power BI tenant. WFE 可對瀏覽器指定應裝載組織租用戶的後端叢集。The WFE specifies to the browser which Back-End cluster houses the organization's tenant. 驗證使用者後,後續的用戶端互動會直接在後端叢集進行,且 WFE 不需要充當這些要求的中間人。Once a user is authenticated, subsequent client interactions occur with the Back-End cluster directly, without the WFE being an intermediator for those requests.

Power BI 後端叢集The Power BI Back-End Cluster

後端叢集是驗證過的用戶端與 Power BI 服務互動的方式。The Back-End cluster is how authenticated clients interact with the Power BI service. 後端叢集會管理視覺效果、使用者儀表板、資料集、報表、資料儲存體、資料連線、資料重新整理,以及與 Power BI 服務互動的其他層面。The Back-End cluster manages visualizations, user dashboards, datasets, reports, data storage, data connections, data refresh, and other aspects of interacting with the Power BI service.

後端叢集

閘道角色擔任使用者要求與 Power BI 服務之間的閘道。The Gateway Role acts as a gateway between user requests and the Power BI service. 使用者不會與閘道角色以外的任何角色直接互動。Users do not interact directly with any roles other than the Gateway Role.

重要事項: 請務必注意,_只有_Azure API 管理(APIM)和閘道(GW)角色可透過公用網際網路存取。Important: It is imperative to note that only Azure API Management (APIM) and Gateway (GW) roles are accessible through the public Internet. 這些角色提供驗證、授權、DDoS 保護、節流、負載平衡、路由及其他功能。They provide authentication, authorization, DDoS protection, Throttling, Load Balancing, Routing, and other capabilities.

上方後端叢集影像中的虛線清楚劃分使用者能夠存取的唯二角色 (虛線左側),以及只有系統可以存取的角色。The dotted line in the Back-End cluster image, above, clarifies the boundary between the only two roles that are accessible by users (left of the dotted line), and roles that are only accessible by the system. 當已驗證的使用者連線到 Power BI 服務時,用戶端的連線和任何要求 (由閘道角色Azure API 管理接受及管理) ,會代表使用者與 Power BI 服務的其餘部分互動。When an authenticated user connects to the Power BI Service, the connection and any request by the client is accepted and managed by the Gateway Role and Azure API Management, which then interacts on the user's behalf with the rest of the Power BI Service. 例如,當用戶端嘗試檢視儀表板時,閘道角色會接受該要求,然後另外傳送要求給簡報角色,以擷取瀏覽器呈現儀表板所需的資料。For example, when a client attempts to view a dashboard, the Gateway Role accepts that request then separately sends a request to the Presentation Role to retrieve the data needed by the browser to render the dashboard.

閘道角色

Power BI PremiumPower BI Premium

Power BI Premium 為 Power BI 活動需要專用資源的訂閱者,提供專用的已佈建分割服務工作區。Power BI Premium offers a dedicated, provisioned, and partitioned service workspace for subscribers that need dedicated resources for their Power BI activities. 當客戶註冊 Power BI Premium 訂用帳戶時,會透過 Azure Resource Manager 建立 Premium 容量。When a customer signs up for a Power BI Premium subscription, the Premium capacity is created through the Azure Resource Manager. 該訂用帳戶的推出會指派一組合乎訂用帳戶層級的虛擬機器,在裝載其 Power BI 租用戶的資料中心內 (多地理位置環境除外,如本文件稍後所述),起始為 Azure Service Fabric 部署。The rollout of that subscription assigns a set of virtual machines commensurate with the subscription level, in the datacenter where their Power BI tenant is hosted (with the exception of multi-geo environments, as described later in this document), initiated as an Azure Service Fabric deployment.

Power BI Premium

建立之後,所有與 Premium 叢集的通訊都會通過 Power BI 後端叢集路由,且用戶端專用 Power BI Premium 訂用帳戶虛擬機器的連線會建立於此叢集中。Once created, all communication with the Premium cluster is routed through the Power BI Back-End cluster, where a connection to the client's dedicated Power BI Premium subscription virtual machines is established.

資料儲存體架構Data Storage Architecture

Power BI 使用兩個主要的存放庫來存放及管理資料:使用者上傳的資料通常會傳送至 Azure BLOB 儲存體,而所有中繼資料及系統本身的成品則存放在 Azure SQL Database 的防火牆後。Power BI uses two primary repositories for storing and managing data: data that is uploaded from users is typically sent to Azure Blob storage, and all metadata as well as artifacts for the system itself are stored behind a firewall in Azure SQL Database.

資料儲存體

例如,當使用者將 Excel 活頁簿匯入 Power BI 服務時,會建立記憶體內部的 Analysis Services 表格式資料庫,而資料存放在記憶體內部不超過一小時 (或直到系統發生記憶體不足的壓力)。For example, when a user imports an Excel workbook into the Power BI service, an in-memory Analysis Services tabular database is created, and the data is stored in-memory for up to one hour (or until memory pressure occurs on the system). 資料也會傳送至 Azure BLOb 儲存體。The data is also sent to Azure Blob storage.

有關使用者 Power BI 訂用帳戶的中繼資料,例如儀表板、報表、最近使用的資料來源、工作區、 組織資訊,租用戶資訊,以及有關系統的其他中繼資料,都存放在 Azure SQL Database 中並予以更新。Metadata about a user's Power BI subscription, such as dashboards, reports, recent data sources, workspaces, organizational information, tenant information, and other metadata about the system is stored and updated in Azure SQL Database. 存放在 Azure SQL Database 中的所有資訊,使用 Azure SQL 的透明資料加密 (TDE) 技術完整加密。All information stored in Azure SQL Database is fully encrypted using Azure SQL's Transparent Data Encryption (TDE) technology. 所有存放在 Azure BLOb 儲存體中的資料也予以加密。All data that is stored in Azure Blob storage is also encrypted. 如需載入、存放及移動資料的程序詳細資訊,請參閱<資料儲存和移動>**** 一節。More information about the process of loading, storing, and moving data is described in the Data Storage and Movement section.

建立租用戶Tenant Creation

租使用者是組織在註冊 Microsoft 雲端服務(例如 Azure、Microsoft Intune、Power BI 或 Microsoft 365)時所收到和擁有之 Azure AD 服務的專用實例。A tenant is a dedicated instance of the Azure AD service that an organization receives and owns when it signs up for a Microsoft cloud service such as Azure, Microsoft Intune, Power BI, or Microsoft 365. 每個 Azure AD 租用戶都不同,並與其他 Azure AD 租用戶分開。Each Azure AD tenant is distinct and separate from other Azure AD tenants.

租用戶可裝載公司中的使用者及其相關資訊 (密碼、使用者設定檔資料、權限等)。A tenant houses the users in a company and the information about them - their passwords, user profile data, permissions, and so on. 它還包含群組、應用程式和關於組織及其安全性的其他資訊。It also contains groups, applications, and other information pertaining to an organization and its security. 如需詳細資訊,請參閱什麼是 Azure AD 的租使用者。For more information, see What is an Azure AD tenant.

Power BI 租使用者會在最接近國家(或地區)的資料中心內建立,而在 Azure Active Directory 中為租使用者提供的狀態資訊(在一開始布建 Microsoft 365 或 Power BI 服務時提供)。A Power BI tenant is created in the datacenter deemed closest to the country (or region) and state information provided for the tenant in Azure Active Directory, which was provided when the Microsoft 365 or Power BI service was initially provisioned. 目前,Power BI 租用戶不會從該資料中心位置移出。The Power BI tenant does not move from that datacenter location today.

多地理位置 (Multi-Geo)Multiple Geographies (Multi-geo)

有些組織需要 Power BI 根據業務需求存在多個地理位置或區域。Some organizations require a Power BI presence in multiple geographies, or regions, based on business needs. 例如,企業可能會有其在美國的 Power BI 租使用者,但也可能在其他地理區域(例如澳大利亞)中執行業務,而且需要某些 Power BI 資料維持在該遠端區域的待用狀態,以符合當地法規。For example, a business may have its Power BI tenant in the United States but may also do business in other geographical areas, such as Australia, and need certain Power BI data to remain at rest in that remote region to comply with local regulations. 從2018的後半部開始,在一個地理位置中具有主要租使用者的組織也可以布建及存取位於另一個地理位置的 Power BI 資源。Beginning in the second half of 2018, organizations with their home tenant in one geography can also provision and access Power BI resources located in another geography. 為此功能稱為多地理位置,以便在本文件中參考。This feature is referred to as multi-geo for convenience and reference throughout this document.

多地理位置資訊的最新和主要文章是設定 Power BI Premium 的多地理位置支援一文。The most current and primary article for multi-geo information is the configure Multi-Geo support for Power BI Premium article.

在不同的地理位置操作時,應該在當地法律和法規的內容中評估多項技術詳細資料。There are multiple technical details that should be evaluated in the context of local laws and regulations when operating in different geographies. 這些詳細資料包括下列各項:These details include the following:

  • 遠端查詢執行層裝載于遠端容量區域,以確保資料模型、快取和大部分的資料處理都會保留在遠端容量區域中。A remote query execution layer is hosted in the remote capacity region, to ensure that the data model, caches, and most data processing remain in the remote capacity region. 有一些例外狀況,如Power BI Premium 的多地理位置一文所述。There are some exceptions, as detailed on the multi-geo for Power BI Premium article.
  • 儲存在遠端區域中的快取查詢文字和對應的結果將會留在該區域中,不過,傳輸中的其他資料可能會在多個地理位置來回移動。A cached query text and corresponding result stored in a remote region will stay in that region at rest, however other data in transit may go back and forth between multiple geographies.
  • 已發佈(上傳)至 Power BI 服務多地理位置容量的 .PBIX 或 .XLSX 檔案,可能會導致複本暫時儲存在 Power BI 的租使用者區域的 Azure Blob 儲存體中。PBIX or XLSX files that are published (uploaded) to a multi-geo capacity of the Power BI service may result in a copy being temporarily stored in Azure Blob storage in Power BI's tenant region. 在這種情況下,會使用 Azure 儲存體服務加密(SSE)來加密資料,並在檔案內容處理和傳送至遠端區域完成後,將複本排程為垃圾收集。In such circumstances, the data is encrypted using Azure Storage Service Encryption (SSE), and the copy is scheduled for garbage collection as soon as the file content processing and transfer to the remote region is completed.
  • 跨多地理位置環境中的區域移動資料時,來源區域中的資料實例將會在7-30 天內刪除。When moving data across regions in a multi-geo environment, the instance of the data in the source region will be deleted within 7-30 days.

資料中心和地區設定Datacenters and Locales

Power BI 僅於特定區域提供,根據區域資料中心部署 Power BI 叢集的位置而定。Power BI is offered in certain regions, based on where Power BI clusters are deployed in regional datacenters. Microsoft 計劃將其 Power BI 基礎結構擴充至額外的資料中心。Microsoft plans to expand its Power BI infrastructure into additional datacenters.

下列連結提供 Azure 資料中心的其他資訊。The following links provide additional information about Azure datacenters.

  • Azure 區域 – Azure 全球出現位置的相關資訊Azure Regions – information about Azure's global presence and locations
  • 依區域劃分的 Azure 服務 – Microsoft 提供之各區域的 Azure 服務 (基礎結構服務及平台服務) 完整清單。Azure Services, by region – a complete listing of Azure services (both infrastructure services and platform services) available from Microsoft in each region.

目前,Power BI 服務可在特定區域中使用,如Microsoft 信任中心所述,由資料中心提供服務。Currently, the Power BI service is available in specific regions, serviced by datacenters as described in the Microsoft Trust Center. 以下連結顯示 Power BI 資料中心的地圖,您可將滑鼠暫留在區域上,以查看位於該區域的資料中心:The following link shows a map of Power BI datacenters, you can hover over a region to see the datacenters located there:

Microsoft 也為各國政府提供資料中心。Microsoft also provides datacenters for sovereignties. 如需國家/地區雲端的 Power BI 服務可用性詳細資訊,請參閱 Power BI 國家/地區雲端For more information about Power BI service availability for national clouds, see Power BI national clouds.

如需資料存放位置和使用方式的詳細資訊,請參閱 Microsoft Trust Center (Microsoft 信任中心)。For more information on where your data is stored and how it is used, refer to the Microsoft Trust Center. Microsoft Online Services 條款資料處理條款會指定客戶待用資料的相關位置。Commitments about the location of customer data at rest are specified in the Data Processing Terms of the Microsoft Online Services Terms.

使用者驗證User Authentication

Power BI 服務的使用者驗證包含一系列的要求、回應,並在使用者的瀏覽器和 Power BI 服務或 Power BI 所使用的 Azure 服務之間重新導向。User authentication to the Power BI service consists of a series of requests, responses, and redirects between the user's browser and the Power BI service or the Azure services used by Power BI. 該順序描述 Power BI 中的使用者驗證程序。That sequence describes the process of user authentication in Power BI. 如需有關組織的使用者驗證模型(登入模型)之選項的詳細資訊,請參閱選擇 Microsoft 365 的登入模型For more information about options for an organization's user authentication models (sign-in models), see Choosing a sign-in model for Microsoft 365.

驗證順序Authentication Sequence

Power BI 服務的使用者驗證順序如下列步驟中所述,請見下列圖示。The user authentication sequence for the Power BI service occurs as described in the following steps, which are illustrated in the following images.

  1. 使用者藉由在網址列中輸入 Power BI 位址(例如 https://app.powerbi.com ),或從 Power BI 登陸頁面()選取 [登入],起始從瀏覽器到 Power BI 服務的_連線_ https://powerbi.microsoft.com) 。A user initiates a connection to the Power BI service from a browser, either by typing in the Power BI address in the address bar (such as https://app.powerbi.com) or by selecting Sign In from the Power BI landing page (https://powerbi.microsoft.com). 連線是使用 TLS 1.2 和 HTTPS 來建立,而瀏覽器和 Power BI 服務之間所有後續的通訊則使用 HTTPS。The connection is established using TLS 1.2 and HTTPS, and all subsequent communication between the browser and the Power BI service uses HTTPS. 要求傳送至 Azure 流量管理員The request is sent to the Azure Traffic Manager.

  2. Azure 流量管理員會檢查使用者的 DNS 記錄,以判斷已部署 Power BI 的最近資料中心,並以應傳送使用者之目標 WFE 叢集的 IP 位址來回應 DNS。The Azure Traffic Manager checks the user's DNS record to determine the nearest datacenter where Power BI is deployed, and responds to the DNS with the IP address of the WFE cluster to which the user should be sent.

  3. 然後 WFE 會將使用者重新導向至 Microsoft Online Services 登入頁面。WFE then redirects the user to Microsoft Online Services login page.

    驗證順序

  4. 使用者驗證之後,登入頁面會將使用者導向到之前判斷的最近 Power BI 服務 WFE 叢集Once the user is authenticated, the login page redirects the user to the previously determined nearest Power BI service WFE cluster.

  5. 瀏覽器提交取自於成功登入 Microsoft Online Services 的 Cookie,由 WFE 叢集內的 ASP.NET 服務檢查。The browser submits a cookie that was obtained from the successful login to Microsoft Online Services, which is inspected by the ASP.NET service inside the WFE cluster.

  6. WFE 叢集會使用 Azure Active Directory (AAD) 服務進行檢查,以驗證使用者的 Power BI 服務訂用帳戶,並取得 AAD 安全性權杖。The WFE cluster checks with the Azure Active Directory (AAD) service to authenticate the user's Power BI service subscription, and to obtain an AAD security token. 當 AAD 傳回使用者成功驗證及 AAD 安全性權杖時,WFE 叢集會諮詢 Power BI**** 全域服務,如此可維護租用戶及其 Power BI 後端叢集位置的清單,判斷哪一個 Power BI 服務叢集包含使用者的租用戶。When AAD returns successful authentication of the user and returns an AAD security token, the WFE cluster consults the Power BI**** Global Service, which maintains a list of tenants and their Power BI Back-End cluster locations, and determines which Power BI service cluster contains the user's tenant. 然後,WFE 叢集將使用者導向至其租用戶所在的 Power BI 叢集,將項目集合傳回至使用者的瀏覽器:The WFE cluster then directs the user to the Power BI cluster where its tenant resides, and returns a collection of items to the user's browser:

    • AAD 安全性權杖The AAD security token
    • 會話資訊Session information
    • 使用者可與其通訊及互動的後端叢集網址The web address of the Back-End cluster the user can communicate and interact with
  7. 然後,使用者瀏覽器會連絡指定的 Azure CDN,或針對某些 WFE 檔案,下載指定通用檔案的集合,它們是啟用瀏覽器與 Power BI 服務互動所需的檔案。The user's browser then contacts the specified Azure CDN, or for some of the files the WFE, to download the collection of specified common files necessary to enable the browser's interaction with the Power BI service. 瀏覽器頁面接著會包含 Power BI 服務瀏覽器工作階段期間的 AAD 權杖、工作階段資訊、相關的後端叢集位置,以及從 Azure CDN 和 WFE 叢集下載的檔案集合。The browser page then includes the AAD token, session information, the location of the associated Back-End cluster, and the collection of files downloaded from the Azure CDN and WFE cluster, for the duration of the Power BI service browser session.

Azure CDN 互動

這些項目完成後,瀏覽器就會開始連絡指定的後端叢集,使用者也會開始與 Power BI 服務互動。Once those items are complete, the browser initiates contact with the specified Back-End cluster and the user's interaction with the Power BI service commences. 從此時開始,所有對 Power BI 的呼叫都會使用特定後端叢集,且所有呼叫都會包含使用者的 AAD 權杖。From that point forward, all calls to the Power BI service are with the specified Back-End cluster, and all calls include the user's AAD token. AAD 權杖的逾時為一小時;如果使用者的工作階段保持開啟,WFE 會定期重新整理權杖,以保留存取權。The AAD token has a timeout of one hour; the WFE refreshes the token periodically if a user's session remains open, in order to preserve access.

資料儲存和移動Data Storage and Movement

在 Power BI 服務中,資料狀態為「待用」__ (目前未處理可供 Power BI 使用者使用的資料) 或「正在處理」(例如:正在執行查詢、正在處理資料連線和模型、正將資料及/或模型上傳至 Power BI 服務,以及使用者或 Power BI 服務會對正在存取或更新之資料採取的其他動作)。In the Power BI service, data is either at rest (data available to a Power BI user that is not currently being acted upon), or it is in process (for example: queries being run, data connections and models being acted upon, data and/or models being uploaded into the Power BI service, and other actions that users or the Power BI service may take on data that is actively being accessed or updated). 正在處理的資料稱為「正在處理的資料」Data that is in process is referred to as data in process. Power BI 中的待用資料已加密。Data at rest in Power BI is encrypted. 正在傳輸的資料,表示 Power BI 服務正在傳送或接收的資料也會加密。Data that is in transit, which means data being sent or received by the Power BI service, is also encrypted.

Power BI 服務管理資料的方式,也會依是否使用 DirectQuery 存取資料或匯入而不同。The Power BI service also manages data differently based on whether the data is accessed with a DirectQuery, or import. Power BI 的使用者資料有兩種:由 DirectQuery 存取的資料和不由 DirectQuery 存取的資料。So there are two categories of user data for Power BI: data that is accessed by DirectQuery, and data which is not accessed by DirectQuery.

DirectQuery 是資料來源的原生資料語言 (例如 T-SQL 或其他原生資料庫語言) 中,已從 Microsoft 資料分析運算式 (DAX) 語言轉譯的 Power BI 使用者查詢,DAX 是 Power BI 和其他 Microsoft 產品建立查詢所用的語言。A DirectQuery is a query for which a Power BI user's query has been translated from Microsoft's Data Analysis Expressions (DAX) language – which is the language used by Power BI and other Microsoft products to create queries – in the data source's native data language (such as T-SQL, or other native database languages). 與 DirectQuery 建立關聯的資料僅依參考儲存,這表示當 DirectQuery 不在作用中時,來源資料不會存放在 Power BI 中 (用來顯示儀表板和報表的視覺效果資料除外,如後文<正在處理的資料 (資料移動)>__ 一節所述)。The data associated with a DirectQuery is stored by reference only, which means source data is not stored in Power BI when the DirectQuery is not active (except for visualization data used to display dashboards and reports, as described in the Data in process (data movement) section, below). 之所以儲存 DirectQuery 資料的參考,是為了在執行 DirectQuery 時允許存取該資料。Rather, references to DirectQuery data are stored which allow access to that data when the DirectQuery is run. DirectQuery 包含執行查詢的所有必要資訊,包括連接字串和用來存取資料來源的認證,讓 DirectQuery 連線到包含的資料來源以自動重新整理。A DirectQuery contains all the necessary information to execute the query, including the connection string and the credentials used to access the data sources, which allow the DirectQuery to connect to the included data sources for automatic refresh. 使用 DirectQuery,基礎資料模型資訊會併入 DirectQuery。With a DirectQuery, underlying data model information is incorporated into the DirectQuery.

匯入資料集的查詢包含「不」__ 直接轉譯成任何基礎資料來源原生語言的 DAX 查詢集合。A query for an import dataset consist of a collection of DAX queries that are not directly translated to the native language of any underlying data source. 匯入查詢不包含基礎資料的認證,除非它是透過 Power BI Gateway 存取的內部部署資料,查詢僅儲存內部部署資料的參考,否則基礎資料會載入 Power BI 服務。Import queries do not include credentials for the underlying data, and the underlying data is loaded into the Power BI service unless it is on-premises data accessed through a Power BI Gateway, in which case the query only stores references to on-premises data.

下表會根據使用的查詢類型描述 Power BI 資料。The following table describes Power BI data based on the type of query being used. X 會在使用相關查詢類型時,表示 Power BI 資料是否存在。An X indicates the presence of Power BI data when using the associated query type.

匯入Import DirectQueryDirectQuery Live connectLive Connect
結構描述Schema XX XX
資料列資料Row data XX
視覺效果資料快取Visuals data caching XX XX XX

DirectQuery 和其他查詢之間的差異決定 Power BI 服務處理待用資料的方式,以及查詢本身是否加密。The distinction between a DirectQuery and other queries determines how the Power BI service handles the data at rest, and whether the query itself is encrypted. 下列各節描述待用和移動中的資料,並描述加密、位置和處理資料的程序。The following sections describe data at rest and in movement, and explain the encryption, location, and process for handling data.

待用資料Data at rest

資料待用時,Power BI 服務會使用下列各小節所述的方式儲存資料集、報表和儀表板磚。When data is at rest, the Power BI service stores datasets, reports, and dashboard tiles in the manner described in the following subsections. 如前所述,Power BI 中的待用資料已加密。As mentioned earlier, data at rest in Power BI is encrypted. ETL 在下列各節中表示擷取、轉換和載入。ETL stands for Extract, Transform and Load in the following sections.

加密金鑰Encryption Keys

  • Azure Blob 的加密金鑰會在 Azure Key Vault 中儲存並加密。The encryption keys to Azure Blob keys are stored, encrypted, in Azure Key Vault.
  • Azure SQL Database TDE 技術的加密金鑰是由 Azure SQL 自行管理。The encryption keys for Azure SQL Database TDE technology is managed by Azure SQL itself.
  • 資料移動服務和內部部署資料閘道的加密金鑰儲存位置:The encryption key for Data Movement service and on-premises data gateway are stored:
    • 客戶基礎結構的內部部署資料閘道 – 適用於內部部署資料In the on-premises data gateway on customer's infrastructure – for on-premises data sources
    • 資料移動角色 – 適用於雲端式資料來源In the Data Movement Role – for cloud-based data sources

用來加密 Microsoft Azure Blob 儲存體的內容加密金鑰(CEK)是隨機產生的256位金鑰。The Content Encryption Key (CEK) used to encrypt the Microsoft Azure Blob Storage is a randomly generated 256-bit key. CEK 用來加密內容的演算法是 AES_CBC_256。The algorithm that the CEK uses to encrypt the content is AES_CBC_256.

用來加密 CEK 之金鑰加密金鑰 (KEK) 則是預先定義的 256 位元金鑰。The Key Encryption Key (KEK) that is used to then encrypt the CEK is a pre-defined 256-bit key. KEK 加密 CEK 的演算法是 A256KW。The algorithm by KEK to encrypt the CEK is A256KW.

以修復金鑰為基礎的閘道加密金鑰絕不能離開內部部署基礎結構。Gateway encryption keys based on the recovery key never leave an on-premises infrastructure. Power BI 無法存取加密的內部部署認證值,也無法攔截這些認證;Web 用戶端使用與其通訊所用之特定閘道建立關聯的公開金鑰來加密認證。Power BI cannot access the encrypted on-premises credentials values, and cannot intercept those credentials; web clients encrypt the credential with a public key that's associated with the specific gateway with which it is communicating.

針對雲端式資料來源,資料移動角色使用 Always Encrypted 方法加密加密金鑰。For cloud-based data sources, the Data Movement Role encrypts encryption keys using Always Encrypted methods. 您可以深入了解 Always Encrypted 資料庫功能You can learn more about the Always Encrypted database feature.

資料集Datasets

  1. 中繼資料 (資料表、資料行、量值、計算、連接字串等等)Metadata (tables, columns, measures, calculations, connection strings, etc.)

    a.a. 針對 Analysis Services 內部部署,除了在 Azure SQL 中儲存加密之資料庫的參考外,服務中不儲存任何內容。For Analysis Services on-premises nothing is stored in the service except for a reference to that database stored encrypted in Azure SQL.

    b.b. ETL、DirectQuery 和推送資料的所有其他中繼資料都會加密並儲存在 Azure Blob 儲存體中。All other metadata for ETL, DirectQuery, and Push Data is encrypted and stored in Azure Blob storage.

  2. 原始資料來源的認證Credentials to the original data sources

    a.a. Analysis Services 內部部署 – 不需要任何認證;因此,不會儲存任何認證。Analysis Services on-premises – No credentials are needed and, therefore, no credentials are stored.

    b.b. DirectQuery – 視模型是否直接在服務中建立,其會存放在連接字串並在 Azure Blob 中加密;或者,如果模型從 Power BI Desktop 匯入,則認證加密存放在資料移動的 Azure SQL Database 中。DirectQuery – This depends whether the model is created in the service directly in which case it is stored in the connection string and encrypted in Azure Blob, or if the model is imported from Power BI Desktop in which case the credentials are stored encrypted in Data Movement's Azure SQL Database. 加密金鑰的存放位置是在客戶基礎結構閘道上執行的電腦。The encryption key is stored on the machine running the Gateway on customer's infrastructure.

    c.c. 推送的資料 – 不適用Pushed data – not applicable

    d.d. ETLETL

    • SalesforceOneDrive – 重新整理權杖會加密儲存在 Power BI 服務中的 Azure SQL Database。For Salesforce or OneDrive – the refresh tokens are stored encrypted in the Azure SQL Database of the Power BI service.
    • 否則就是:Otherwise:
      • 如果設定重新整理資料集,則認證會加密儲存在資料移動中的 Azure SQL Database。If the dataset is set for refresh, the credentials are stored encrypted in Data Movement's Azure SQL Database. 加密金鑰的存放位置是在客戶基礎結構閘道上執行的電腦。The encryption key is stored on the machine running the Gateway on customer's infrastructure.
      • 如未設定重新整理資料集,則不儲存資料來源的任何認證If the dataset is not set for refresh, there are no credentials stored for the data sources
  3. 資料Data

    a.a. 內部部署和 DirectQuery 的 Analysis Services – Power BI 服務中不存放任何內容。Analysis Services on-premises, and DirectQuery – nothing is stored in the Power BI Service.

    b.b. ETL – 在 Azure Blob 儲存體中加密,但目前 Power BI 服務之 Azure Blob 儲存體中的所有資料都使用 Azure 儲存體服務加密 (SSE),也稱為伺服器端加密。ETL – encrypted in Azure Blob storage, but all data currently in Azure Blob storage of the Power BI service uses Azure Storage Service Encryption (SSE), also known as server-side encryption. 多地理位置也使用 SSE。Multi-geo uses SSE as well.

    c.c. 推送資料 v1 – 在 Azure Blob 儲存體中儲存加密,但目前 Power BI 服務之 Azure Blob 儲存體中的所有資料都使用 Azure 儲存體服務加密 (SSE),也稱為伺服器端加密。Push data v1 – stored encrypted in Azure Blob storage, but all data currently in Azure Blob storage in the Power BI service uses Azure Storage Service Encryption (SSE), also known as server-side encryption. 多地理位置也使用 SSE。Multi-geo uses SSE as well. 推送資料 v1 從2016開始已停止。Push data v1 were discontinued beginning 2016.

    d.d. 推送資料 v2 – 在 Azure SQL 儲存加密。Push data v2 – stored encrypted in Azure SQL.

Power BI 使用用戶端的加密方法,利用加密區塊鏈結 (CBC) 模式和進階加密標準 (AES) 來加密其 Azure Blob 儲存體。Power BI uses the client-side encryption approach, using cipher block chaining (CBC) mode with advanced encryption standard (AES), to encrypt its Azure Blob storage. 您可以深入了解用戶端加密You can learn more about client-side encryption.

Power BI 以下列方式提供資料完整性監視:Power BI provides data integrity monitoring in the following ways:

  • 針對 Azure SQL 中的待用資料,Power BI 會使用 dbcc、TDE 和常數的頁面總和檢查碼作為 SQL 原生供應項目的一部分。For data at rest in Azure SQL, Power BI uses dbcc, TDE, and constant page checksum as part of the native offerings of SQL.

  • 針對 Azure Blob 儲存體中的待用資料,Power BI 會使用用戶端加密和 HTTPS 將資料傳輸至儲存體,此儲存體會在資料擷取期間檢查完整性。For data at rest in Azure Blob storage, Power BI uses client-side encryption and HTTPS to transfer data into storage which includes integrity checks during the retrieval of the data. 您可以深入了解 Azure Blob 儲存體安全性You can learn more about Azure Blob storage security.

報表Reports

  1. 中繼資料 (報表定義)Metadata (report definition)

    a.a. 報表可以是 Excel Microsoft 365 報表或 Power BI 報表。Reports can either be Excel for Microsoft 365 reports, or Power BI reports. 下列適用於以報表類型為基礎的中繼資料:The following applies for metadata based on the type of report:

      答:    a. Excel 報表中繼資料會以加密方式儲存在 SQL Azure 中。Excel Report metadata is stored encrypted in SQL Azure. 中繼資料也會儲存在 Microsoft 365 中。Metadata is also stored in Microsoft 365.

      b。    b. Power BI 報表會以加密方式儲存在 Azure SQL database 中。Power BI reports are stored encrypted in Azure SQL database.

  2. 靜態資料Static data

    靜態資料包括背景影像和 Power BI 視覺效果等成品。Static data includes artifacts such as background images and Power BI visuals.

      答:    a. 針對使用 Excel 建立的報表 Microsoft 365,不會儲存任何內容。For reports created with Excel for Microsoft 365, nothing is stored.

      b。    b. Power BI 報表的靜態資料會在 Azure Blob 儲存體中儲存加密。For Power BI reports, the static data is stored and is encrypted in Azure Blob storage.

  3. 快取Caches

      答:    a. 針對使用 Excel 建立的報表 Microsoft 365,不會快取任何內容。For reports created with Excel for Microsoft 365, nothing is cached.

      b。    b. 針對 Power BI 報表,會快取所顯示報表視覺效果的資料,並將其儲存在下列章節所述的 Visual Data Cache 中。For Power BI reports, the data for the reports’ visuals shown is cached and stored in the Visual Data Cache described in the following section.

  4. 發佈到 Power BI 的原始 Power BI Desktop (.pbix) 或 Excel (.xlsx) 檔案Original Power BI Desktop (.pbix) or Excel (.xlsx) files published to Power BI

    有時候 .xlsx 或 .pbix 檔案的複本或陰影複製會儲存在 Power BI 的 Azure Blob 儲存體中,而發生此情形時,會加密資料。Sometimes a copy or a shadow copy of the .xlsx or .pbix files are stored in Power BI's Azure Blob storage, and when that occurs, the data is encrypted. 所有儲存在 Power BI 服務 Azure Blob 儲存體中的這類報表,都使用 Azure 儲存體服務加密 (SSE),也稱為伺服器端加密。All such reports stored in the Power BI service, in Azure Blob storage, use Azure Storage Service Encryption (SSE), also known as server-side encryption. 多地理位置也使用 SSE。Multi-geo uses SSE as well.

儀表板和儀表板磚Dashboards and Dashboard Tiles

  1. 快取–儀表板上的視覺效果所需的資料通常會被快取並儲存在下一節所述的 Visual Data Cache 中。Caches – The data needed by the visuals on the dashboard is usually cached and stored in the Visual Data Cache described in the following section. 其他磚,例如從 Excel 或 SQL Server Reporting Services (SSRS) 釘選的視覺效果,則儲存在 Azure Blob 作為映像,也會加密。Other tiles such as pinned visuals from Excel or SQL Server Reporting Services (SSRS) are stored in Azure Blob as images, and are also encrypted.

  2. 靜態資料–包含背景影像,以及在 Azure Blob 儲存體中儲存、加密的 Power BI 視覺效果。Static data – that includes artifacts such as background images and Power BI visuals that are stored, encrypted, in Azure Blob storage.

不論使用何種加密方法,Microsoft 都會代表客戶管理金鑰加密。Regardless of the encryption method used, Microsoft manages the key encryption on customers' behalf.

視覺效果資料快取Visual Data Cache

視覺效果資料會根據資料集是否裝載于 Power BI Premium 容量,在不同的位置進行快取。Visual data is cached in different locations depending on whether the dataset is hosted on a Power BI Premium Capacity. 對於未裝載于容量的資料集,會以 Azure SQL Database 的方式來快取和儲存視覺資料。For datasets that are not hosted on a Capacity, the visual data is cached and stored encrypted in an Azure SQL Database. 對於裝載在容量上的資料集,可以在下列任何位置快取視覺資料:For datasets that are hosted on a Capacity, the visual data can be cached in any of the following locations:

  • Azure Blob 儲存體Azure Blob Storage
  • Azure Premium 檔案Azure Premium Files
  • Power BI Premium 容量節點The Power BI Premium Capacity node

暫時存放在靜態裝置上的資料Data Transiently Stored on Non-Volatile Devices

非變動裝置是指具有不會持續電源的記憶體的裝置。Non-volatile devices are devices that have memory that persists without constant power. 下列描述暫時存放在靜態裝置上的資料。The following describes data that is transiently stored on non-volatile devices.

資料集Datasets

  1. 中繼資料 (資料表、資料行、量值、計算、連接字串等等)Metadata (tables, columns, measures, calculations, connection strings, etc.)

  2. 部分結構描述的相關成品可在計算節點的磁碟上儲存一段限定時間。Some schema-related artifacts can be stored on the disk of the compute nodes for a limited period of time. 有些成品也可以在 Azure REDIS 快取中不加密儲存一段限定時間。Some artifacts can also be stored in Azure REDIS Cache unencrypted for a limited period of time.

  3. 原始資料來源的認證Credentials to the original data sources

    a.a. 內部部署 Analysis Services – 不存放任何內容Analysis Services on-premises – nothing is stored

    b.b. DirectQuery – 視模型是否直接在服務中建立,其會存放在連接字串中,加密格式為儲存在同一位置純文字的加密金鑰 (以及加密的資訊);或者,如果模型從 Power BI Desktop 匯入,則認證不會存放在靜態裝置中。DirectQuery – This depends whether the model is created in the service directly in which case it is stored in the connection string, in encrypted format with the encryption key stored in clear text in the same place (alongside the encrypted information); or if the model is imported from Power BI Desktop in which case the credentials are not stored on non-volatile devices.

    注意

    從2017開始,服務端模型建立功能已停止。The service-side model creation feature were discontinued beginning in 2017.

    c.c. 推送的資料 – 無 (不適用)Pushed data – none (not applicable)

    d.d. ETL – 無 (無任何內容存放在計算節點上,也和前文<待用資料>**** 一節所述一致)ETL – none (nothing stored on the compute node nor different than explained in the Data at Rest section, above)

  4. 資料Data

    有些資料成品可在計算節點的磁碟上存放一段限定時間。Some data artifacts can be stored on the disk of the compute nodes for a limited period of time.

正在處理的資料Data in process

正在處理之資料是正被使用者使用或存取的資料。Data is in process when it is actively being used or accessed by a user. 例如,當使用者存取資料集、修訂或修改儀表板或報表時,重新整理、或可能發生其他資料存取活動時,資料狀態即為正在處理。For example, data is in process when a user accesses a dataset, revises or modifies a dashboard or report, when refresh occurs, or other data access activities that may occur. 發生前述任一事件並正在處理資料時,Power BI 服務的資料角色會建立記憶體內部 Analysis Services (AS) 資料庫,而資料集會載入至記憶體內部 Analysis Services 資料庫。When any of those events occur and put data in process, the Data Role in the Power BI service creates an in-memory Analysis Services (AS) database and the dataset is loaded into that in-memory Analysis Services database. 無論此資料集是否以 DirectQuery 為基礎,載入 AS 資料庫的資料都不加密,以允許資料角色存取,並保存在記憶體中供日後存取,直到 Power BI 服務不再需要此資料集為止。Whether the dataset is based on a DirectQuery or not, data loaded in the AS database is unencrypted to allow for access by the Data Role, and held in memory for further access until the Power BI service no longer needs the dataset. 針對使用 Power BI Premium 訂用帳戶的客戶,Power BI 會在客戶另行佈建的 Power BI 虛擬機器集合中,建立記憶體內部 Analysis Services (AS) 資料庫。For customers with a Power BI Premium subscription, Power BI creates an in-memory Analysis Services (AS) database in the customer's separately provisioned collection of Power BI virtual machines.

開始處理資料後,包括一開始將資料載入 Power BI,Power BI 服務就會快取加密 Azure SQL Database 中的視覺效果資料,不論資料集是否以 DirectQuery 為基礎。Once data is acted upon, which includes initially loading data into Power BI, the Power BI service may cache the visualization data in an encrypted Azure SQL Database, regardless of whether the dataset is based on a DirectQuery.

為監視正在處理之資料的資料完整性,Power BI 使用 HTTPS、TCP/IP 和 TLS 來確定資料已加密,並在傳輸期間保持其完整性。To monitor data integrity for data in process, Power BI uses HTTPS, TCP/IP and TLS to ensure data is encrypted and maintains integrity during the transport.

資料來源的使用者驗證User Authentication to Data Sources

在每個資料來源中,使用者會根據登入建立連接,並使用這些認證來存取資料。With each data source, a user establishes a connection based on their login, and accesses the data with those credentials. 然後,使用者可以根據基礎資料建立查詢、儀表板和報表。Users can then create queries, dashboards, and reports based on the underlying data.

當使用者共用查詢、儀表板、報表或任何視覺效果時,能否存取該資料和這些視覺效果,取決於基礎資料來源是否支援角色層級安全性 (RLS)。When a user shares queries, dashboards, reports, or any visualization, access to that data and those visualizations is dependent on whether the underlying data sources support Role Level Security (RLS).

如果基礎資料來源能因應 Power BI 的***角色層級安全性 (RLS),則 Power BI 服務會套用該角色層級安全性,而認證不足無法存取基礎資料 (可能是用於儀表板、報表或其他資料成品的查詢) 的使用者,看不到需要足夠使用者權限的資料。If an underlying data source is capable of Power BI's**** Role Level Security (RLS), the Power BI service will apply that role level security, and users who do not have sufficient credentials to access the underlying data (which could be a query used in a dashboard, report, or other data artifact) will not see data for which the user does not have sufficient privileges. 如果使用者存取基礎資料之方式不同於儀表板或報表建立者的方式,則視覺效果和其他成品只會根據此使用者所擁有的資料存取層級顯示資料。If a user's access to the underlying data is different from the user who created the dashboard or report, the visualizations and other artifacts will only show data based on the level of access that user has to the data.

如果資料來源適用 RLS,則基礎資料來源會套用 Power BI 登入認證;或者,如果在連線期間提供其他認證,則套用這些提供的認證。If a data source does not apply RLS, then the Power BI login credentials are applied to the underlying data source, or if other credentials are supplied during the connection, those supplied credentials are applied. 當使用者從非 RLS 資料來源將資料載入 Power BI 服務時,資料會存放在 Power BI 中,如本文件的<資料儲存和移動>**** 一節所述。When a user loads data into the Power BI service from non-RLS data sources, the data is stored in Power BI as described in the Data Storage and Movement section found in this document. 針對非 RLS 資料來源,當與其他使用者共用資料 (例如透過儀表板或報表),或重新整理資料時,即會使用原始的認證存取或顯示資料。For non-RLS data sources, when data is shared with other users (such as through a dashboard or report) or a refresh of the data occurs, the original credentials are used to access or display the data.

角色層級安全性 (RLS)

如需對比 RLS 及非 RLS 資料來源的快速範例,請想像 Sam 建立了報表和儀表板,然後與 Abby 和 Ralph 共用它們。For a quick example to contrast RLS and non-RLS data sources, imagine Sam creates a report and a dashboard, then shares them with Abby and Ralph. 如果報表和儀表板中使用的資料來源來自支援 RLS 的資料來源,則 Abby 和 Ralph 都可以看到 Sam 包含在儀表板中的資料 (已上傳到 Power BI 服務),且 Abby 和 Ralph 都能夠資料互動。If the data sources used in the report and dashboard are from data sources that do not support RLS, both Abby and Ralph will be able to see the data that Sam included in the dashboard (which was uploaded into the Power BI service) and both Abby and Ralph can then interact with the data. 相反地,如果 Sam 使用不支援 RLS 的資料來源建立報表和儀表板,然後與 Abby 和 Ralph 共用它,則當 Abby 嘗試檢視儀表板時,會發生下列狀況:In contrast, if Sam creates a report and dashboard from data sources that do support RLS, then shares it with Abby and Ralph, when Abby attempts to view the dashboard the following occurs:

  1. 因為儀表板來自 RLS 資料來源;所以,當 Power BI 服務查詢資料來源以擷取與儀表板基礎查詢建立關聯之連接字串中指定的最新資料集時,儀表板視覺效果會短暫顯示「正在載入」訊息。Since the dashboard is from an RLS data source, the dashboard visualizations will briefly show a "loading" message while the Power BI service queries the data source to retrieve the current dataset specified in the connection string associated with the dashboard's underlying query.

  2. 存取並擷取資料的根據是 Abby 的認證和角色,儀表板和報表只會載入 Abby 有足夠授權得以處理的資料。The data is accessed and retrieved based on Abby's credentials and role, and only data for which Abby has sufficient authorization is loaded into the dashboard and report.

  3. 儀表板和報表中的視覺效果會按 Abby 的角色層級顯示。The visualizations in the dashboard and report are displayed based on Abby's role level.

如果 Ralph 想要存取共用的儀表板或報表,就會根據其角色層級依序發生相同的狀況。If Ralph were to access the shared dashboard or report, the same sequence occurs based on his role level.

Power BI 行動版Power BI Mobile

Power BI 行動版是針對三個主要行動平臺設計的應用程式集合: Android、iOS 和 Windows Mobile。Power BI Mobile is a collection of apps designed for the three primary mobile platforms: Android, iOS, and Windows Mobile. Power BI 行動裝置應用程式的安全性考量分成兩類:Security considerations for Power BI Mobile apps falls into two categories:

  • 裝置通訊Device communication
  • 裝置上的應用程式和資料The application and data on the device

針對裝置通訊,所有 Power BI 行動版應用程式都與 Power BI 服務通訊,並使用與瀏覽器所使用的相同連線與驗證順序 (如本技術白皮書前述的詳細描述)。For device communication, all Power BI Mobile applications communicate with the Power BI service, and use the same connection and authentication sequences used by browsers, which are described in detail earlier in this whitepaper. iOS 和 Android Power BI 行動應用程式會在應用程式本身啟動瀏覽器工作階段,而 Windows 行動應用程式會啟動代理來與 Power BI 建立通訊通道。The iOS and Android Power BI mobile applications bring up a browser session within the application itself, and the Windows mobile app brings up a broker to establish the communication channel with Power BI.

下表列出基於行動裝置平台之 Power BI 行動版憑證型驗證 (CBA) 的支援:The following table lists support of certificate-based authentication (CBA) for Power BI Mobile based on mobile device platform:

CBA 支援CBA Support iOSiOS AndroidAndroid WindowsWindows
Power BI (登入服務)Power BI (sign in to service) 支援supported 支援supported 不受支援Not supported
SSRS ADFS (連線至 SSRS 伺服器)SSRS ADFS (connect to SSRS server) 不支援Not supported 支援Supported 不支援Not supported

Power BI 行動版應用程式會主動與 Power BI 服務通訊。Power BI Mobile apps actively communicate with the Power BI service. 遙測用於收集行動應用程式使用量統計資料和類似資料,這些資料會傳輸至用於監視使用量和活動的服務;個人資料不會使用遙測資料傳送。Telemetry is used to gather mobile app usage statistics and similar data, which is transmitted to services that are used to monitor usage and activity; no personal data is sent with telemetry data.

Power BI 裝置上的應用程式在裝置上儲存的資料有助於使用應用程式:The Power BI application on the device stores data on the device that facilitates use of the app:

  • Azure Active Directory 和重新整理權杖使用業界標準安全措施來以安全機制儲存在裝置上。Azure Active Directory and refresh tokens are stored in a secure mechanism on the device, using industry-standard security measures.

  • 資料會快取在裝置的儲存體中,不會直接由應用程式本身加密Data is cached in storage on the device, which is not directly encrypted by the application itself

  • 設定也會儲存在未加密的裝置上,但不會儲存實際的使用者資料。Settings are also stored on the device unencrypted, but no actual user data is stored.

Power BI 行動版的資料快取會在裝置上保留兩週,或是直到應用程式刪除、使用者登出 Power BI 行動版,或使用者無法登入 (例如權杖到期事件或變更密碼)。The data cache from Power BI Mobile remains on the device for two weeks, or until: the app is removed; the user signs out of Power BI Mobile; or the user fails to sign in (such as a token expiration event, or password change). 資料快取包括先前從 Power BI 行動版應用程式存取的儀表板和報表。The data cache includes dashboards and reports previously accessed from the Power BI Mobile app.

Power BI 行動版應用程式不會查看裝置上的資料夾。Power BI Mobile applications do not look at folders on the device.

可以使用 Power BI 行動版的三個平台都支援 Microsoft Intune (提供行動裝置和應用程式管理的軟體服務)。All three platforms for which Power BI Mobile is available support Microsoft Intune, a software service that provides mobile device and application management. 啟用和設定 Intune 後,將會加密行動裝置上的資料,且 Power BI 應用程式本身不能安裝在 SD 卡上。With Intune enabled and configured, data on the mobile device is encrypted, and the Power BI application itself cannot be installed on an SD card. 您可以深入了解 Microsoft IntuneYou can learn more about Microsoft Intune.

Power BI 安全性問題和回答Power BI Security Questions and Answers

下列問題是 Power BI 常見的安全性問題和回答。The following questions are common security questions and answers for Power BI. 這些內容根據其新增至本白皮書的時間進行排序,以便在文件更新時供您快速找出新問題和回答。These are organized based on when they were added to this whitepaper, to facilitate your ability to quickly find new questions and answers when this paper is updated. 最新的問題會新增至此清單的結尾。The newest questions are added to the end of this list.

使用 Power BI 時,使用者如何連線至資料來源並存取?How do users connect to, and gain access to data sources while using Power BI?

  • Power BI 認證和網域認證: 使用者使用電子郵件地址登入 Power BI;當使用者嘗試連線到資料資源時,Power BI 會傳遞 Power BI 登入電子郵件地址作為認證。Power BI credentials and domain credentials: Users sign in to Power BI using an email address; when a user attempts to connect to a data resource, Power BI passes the Power BI login email address as credentials. 針對網域連線資源 (內部部署或雲端式),目錄服務會將登入電子郵件與「使用者主體名稱」__ (UPN) 比對,以判斷是否有足夠的認證允許存取。For domain-connected resources (either on-premises or cloud-based), the login email is matched with a User Principal Name (UPN) by the directory service to determine whether sufficient credentials exist to allow access. 對於使用以工作為基礎的電子郵件地址登入 Power BI 的組織(例如,他們用來登入工作資源的電子郵件 _david@contoso.com_ ),可能會順暢地進行對應; 針對未使用工作型電子郵件地址的組織(例如 _david@contoso.onmicrosoft.com_ ),必須建立目錄對應,才能使用 Power BI 登入認證來存取內部部署資源。For organizations that use work-based email addresses to sign in to Power BI (the same email they use to login to work resources, such as _david@contoso.com_), the mapping can occur seamlessly; for organizations that did not use work-based email addresses (such as _david@contoso.onmicrosoft.com_), directory mapping must be established in order to allow access to on-premises resources with Power BI login credentials.

  • SQL Server Analysis Services 和 Power BI: 針對使用內部部署 SQL Server Analysis Services 的組織,Power BI 提供 Power BI 內部部署資料閘道(這是閘道,如上一節中所述)。SQL Server Analysis Services and Power BI: For organizations that use on-premises SQL Server Analysis Services, Power BI offers the Power BI on-premises data gateway (which is a Gateway, as referenced in previous sections). Power BI 內部部署資料閘道可以對資料來源 (RLS) 實施角色層級安全性。The Power BI on-premises data gateway can enforce role-level security on data sources (RLS). 如需 RLS 的詳細資訊,請參閱本文件稍早所述的資料來源的使用者驗證For more information on RLS, see User Authentication to Data Sources earlier in this document. 如需閘道的詳細資訊,請參閱內部部署資料閘道For more information about gateways, see on-premises data gateway.

    此外,組織也可以使用 Kerberos 來進行單一登入 (SSO),並從 Power BI 順暢地連線至內部部署資料來源,例如 SQL Server、SAP HANA 和 Teradata。In addition, organizations can use Kerberos for single sign-on (SSO) and seamlessly connect from Power BI to on-premises data sources such as SQL Server, SAP HANA, and Teradata. 如需詳細資訊和特定設定需求,請參閱使用 Kerberos 進行 SSO,從 Power BI 到內部部署資料來源For more information, and the specific configuration requirements, see Use Kerberos for SSO from Power BI to on-premises data sources.

  • 非網域連線:對於未加入網域且不具備角色層級安全性(RLS)的資料連線,使用者必須在連接順序期間提供認證,Power BI 接著會傳遞至資料來源以建立連接。Non-domain connections: For data connections that are not domain-joined and not capable of Role Level Security (RLS), the user must provide credentials during the connection sequence, which Power BI then passes to the data source to establish the connection. 如果具有足夠的權限,資料會從資料來源載入 Power BI 服務。If permissions are sufficient, data is loaded from the data source into the Power BI service.

Power BI 如何傳輸資料?How is data transferred to Power BI?

  • Power BI 要求和傳輸的所有資料都會在傳輸過程中使用 HTTPS 進行加密,以從資料來源連線至 Power BI 服務。All data requested and transmitted by Power BI is encrypted in transit using HTTPS to connect from the data source to the Power BI service. 會建立與資料提供者之間的安全連線,且唯有在建立該連線後,資料才能周遊網路。A secure connection is established with the data provider, and only once that connection is established will data traverse the network.

Power BI 如何快取報表、儀表板或模型資料,且其是否安全?How does Power BI cache report, dashboard, or model data, and is it secure?

  • 存取資料來源時,Power BI 服務會遵循本文件先前<資料儲存和移動>**** 一節中概述的程序。When a data source is accessed, the Power BI service follows the process outlined in the Data Storage and Movement section earlier in this document.

用戶端是在本機快取網頁資料嗎?Do clients cache web page data locally?

  • 瀏覽器用戶端存取 Power BI 時,Power BI Web 伺服器會將 Cache-Control 指示詞設定為 no-storeWhen browser clients access Power BI, the Power BI web servers set the Cache-Control directive to no-store. no-store 指示詞會指示瀏覽器不快取使用者正在檢視的網頁,而不是將網頁儲存在用戶端的快取資料夾中。The no-store directive instructs browsers not to cache the web page being viewed by the user, and not to store the web page in the client's cache folder.

那麼,以角色為基礎的安全性、共用報表或儀表板,以及資料連線呢?如何在資料存取、儀表板的查看、報表存取或重新整理方面運作?What about role-based security, sharing reports or dashboards, and data connections? How does that work in terms of data access, dashboard viewing, report access or refresh?

  • 針對已啟用非角色層級安全性 (RLS) 的資料來源,如果透過 Power BI 與其他使用者共用儀表板、報表或資料模型,則該資料即可供與其共用的使用者檢視和互動。For non-Role Level Security (RLS) enabled data sources, if a dashboard, report, or data model is shared with other users through Power BI, the data is then available for users with whom it is shared to view and interact with. Power BI 「不會」** 針對資料的原始來源重新驗證使用者;資料一旦上傳至 Power BI 後,對來源資料進行驗證的使用者需負責管理哪些其他使用者和群組可以檢視資料。Power BI does not re-authenticate users against the original source of the data; once data is uploaded into Power BI, the user who authenticated against the source data is responsible for managing which other users and groups can view the data.

    當與支援 RLS 的資料來源 (例如 Analysis Services 資料來源) 建立資料連線時,只有儀表板資料會在 Power BI 中快取。When data connections are made to an RLS -capable data source, such as an Analysis Services data source, only dashboard data is cached in Power BI. 每次在 Power BI 中檢視或存取報表或資料集 (使用支援 RLS 之資料來源的資料) 時,Power BI 服務都會存取資料來源,根據使用者的認證來取得資料;如果有足夠的權限,則資料會為載入至該使用者的報表或資料模型中。Each time a report or dataset is viewed or accessed in Power BI that uses data from the RLS-capable data source, the Power BI service accesses the data source to get data based on the user's credentials, and if sufficient permissions exist, the data is loaded into the report or data model for that user. 如果驗證失敗,使用者會看到錯誤。If authentication fails, the user will see an error.

    如需詳細資訊,請參閱本文件稍早所述的<資料來源的使用者驗證>**** 一節。For more information, see the User Authentication to Data Sources section earlier in this document.

我們的使用者會隨時連線到相同的資料來源,有些則需要不同于其網域認證的認證。他們要如何避免每次建立資料連線時都必須輸入這些認證?Our users connect to the same data sources all the time, some of which require credentials that differ from their domain credentials. How can they avoid having to input these credentials each time they make a data connection?

  • Power BI 提供 Power BI Personal Gateway,此功能可讓使用者為多個不同的資料來源建立認證,並在後續存取每個資料來源時自動使用這些認證。Power BI offers the Power BI Personal Gateway, which is a feature that lets users create credentials for multiple different data sources, then automatically use those credentials when subsequently accessing each of those data sources. 如需詳細資訊,請參閱 Power BI Personal GatewayFor more information, see Power BI Personal Gateway.

Power BI 群組如何運作?How do Power BI Groups work?

  • Power BI 群組可讓使用者在已建立的小組中快速且輕鬆地共同建立儀表板、報表和資料模型。Power BI Groups allow users to quickly and easily collaborate on the creation of dashboards, reports, and data models within established teams. 例如,如果您有 Power BI 群組,其中包含您所屬小組的每個人,則您可以從 Power BI 中選取群組來輕鬆與小組中的每個人共同作業。For example, if you have a Power BI Group that includes everyone in your immediate team, you can easily collaborate with everyone on your team by selecting the Group from within Power BI. Power BI 群組相當於 Office 365 萬用群組 (您可以了解建立管理),並使用與 Azure Active Directory 所使用的相同驗證機制來保護資料。Power BI Groups are equivalent to Office 365 Universal Groups (which you can learn about, create, and manage), and use the same authentication mechanisms used in Azure Active Directory to secure data. 您可以在Power BI 中建立群組,或在 Microsoft 365 系統管理中心建立萬用群組,兩者對於在 Power BI 中建立群組都具有相同的結果。You can create groups in Power BI or create a Universal Group in Microsoft 365 admin center; either has the same result for group creation in Power BI.

    請注意,與 Power BI 群組共用的資料,會遵循與 Power BI 中任何共用資料相同的安全性考量。Note that data shared with Power BI Groups follows the same security consideration as any shared data in Power BI. 針對非 RLS 資料來源,Power BI 不會針對資料的原始來源重新驗證使用者,且資料一旦上傳至 Power BI 後,對來源資料進行驗證的使用者需負責管理哪些其他使用者和群組可以檢視資料。For non-RLS data sources Power BI does not re-authenticate users against the original source of data, and once data is uploaded into Power BI, the user who authenticated against the source data is responsible for managing which other users and groups can view the data. 如需詳細資訊,請參閱本文件稍早所述的<資料來源的使用者驗證>**** 一節。For more information, see the User Authentication to Data Sources section earlier in this document.

    您可以取得 Power BI 中群組的詳細資訊。You can get more information about Groups in Power BI.

內部部署資料閘道和個人閘道會使用哪些埠?是否有任何需要允許連接的功能變數名稱?Which ports are used by on-premises data gateway and personal gateway? Are there any domain names that need to be allowed for connectivity purposes?

  • 您可以在下列連結取得此問題的詳細解答:閘道埠The detailed answer to this question is available at the following link: Gateway ports

使用內部部署資料閘道時,如何使用修復金鑰及其儲存位置?那麼安全認證管理呢?When working with the on-premises data gateway, how are recovery keys used and where are they stored? What about secure credential management?

  • 在閘道安裝和設定期間,系統管理員會鍵入閘道修復金鑰During gateway installation and configuration, the administrator types in a gateway Recovery Key. 修復金鑰用來產生強式AES對稱金鑰。That Recovery Key is used to generate a strong AES symmetric key. 同時也會建立RSA非對稱金鑰。An RSA asymmetric key is also created at the same time.

    這些產生的金鑰 (RSAAES) 會儲存於本機電腦上的檔案中。Those generated keys (RSA and AES) are stored in a file located on the local machine. 此外,該檔案也會受到加密。That file is also encrypted. 只有該特定的 Windows 電腦,以及該特定的閘道服務帳戶,才能解密該檔案的內容。The contents of the file can only be decrypted by that particular Windows machine, and only by that particular gateway service account.

    當使用者在 Power BI 服務 UI 中輸入資料來源認證時,認證會使用瀏覽器中的公開金鑰進行加密。When a user enters data source credentials in the Power BI service UI, the credentials are encrypted with the public key in the browser. 閘道會使用 RSA 私密金鑰解密認證,並使用 AES 對稱金鑰重新加密,然後將資料儲存在 Power BI 服務中。The gateway decrypts the credentials using the RSA private key and re-encrypts them with an AES symmetric key before the data is stored in the Power BI service. 使用此程序,Power BI 服務永遠無法存取未加密的資料。With this process, the Power BI service never has access to the unencrypted data.

內部部署資料閘道會使用哪些通訊協定?如何確保安全?Which communication protocols are used by the on-premises data gateway, and how are they secured?

  • 閘道支援下列兩種通訊協定:The gateway supports the following two communications protocols:

    • AMQP 1.0 – TCP + TLS:此通訊協定需要開啟埠443、5671-5672 和9350-9354 以進行外寄通訊。AMQP 1.0 – TCP + TLS: This protocol requires ports 443, 5671-5672, and 9350-9354 to be open for outgoing communication. 此通訊協定為優先選項,因為具有較低的通訊額外負荷。This protocol is preferred, since it has lower communication overhead.

    • Https –透過 HTTPs + TLS 的 websocket:此通訊協定只會使用埠443。HTTPS – WebSockets over HTTPS + TLS: This protocol uses port 443 only. WebSocket 由單一 HTTP 連線訊息啟動。The WebSocket is initiated by a single HTTP CONNECT message. 一旦建立通道後,通訊本質上為 TCP + TLS。Once the channel is established, the communication is essentially TCP+TLS. 您可以藉由修改內部部署閘道一文中所述的設定,強制閘道使用此通訊協定。You can force the gateway to use this protocol by modifying a setting described in the on-premises gateway article.

Power BI 中 Azure CDN 的角色是什麼?What is the role of Azure CDN in Power BI?

  • 如先前所述,Power BI 使用 Azure 內容傳遞網路 (CDN),以根據地理的地區設定有效率地散發必要的靜態內容和檔案給使用者。As mentioned previously, Power BI uses the Azure Content Delivery Network (CDN) to efficiently distribute the necessary static content and files to users based on geographical locale. 為了探索進一步的詳細資料,Power BI 服務會使用多個 CDN,透過公用網際網路有效率地將必要的靜態內容和檔案散發給使用者。To go into further detail, the Power BI service uses multiple CDNs to efficiently distribute necessary static content and files to users through the public Internet. 這些靜態檔案包括產品下載 (例如 Power BI Desktop內部部署資料閘道或來自不同獨立服務提供者的 Power BI 應用程式)、用來起始及建立任何與 Power BI 服務後續連線的瀏覽器設定檔,以及初始的安全 Power BI 登入頁面。These static files include product downloads (such as Power BI Desktop, the on-premises data gateway, or Power BI apps from various independent service providers), browser configuration files used to initiate and establish any subsequent connections with the Power BI service, as well as the initial secure Power BI login page.

    根據初始連線至 Power BI 服務期間提供的資訊,使用者瀏覽器會連絡指定的 Azure CDN (對某些檔案則是 WFE) 下載指定通用檔案的集合,其為啟用瀏覽器與 Power BI 服務互動所需的檔案。Based on information provided during an initial connection to the Power BI service, a user's browser contacts the specified Azure CDN (or for some files, the WFE) to download the collection of specified common files necessary to enable the browser's interaction with the Power BI service. 然後,瀏覽器頁面會包含 Power BI 服務瀏覽器工作階段期間的 AAD 權杖、工作階段資訊、相關的後端叢集位置,以及從 Azure CDNWFE 叢集下載的檔案集合。The browser page then includes the AAD token, session information, the location of the associated Back-End cluster, and the collection of files downloaded from the Azure CDN and WFE cluster, for the duration of the Power BI service browser session.

針對 Power BI 視覺效果,Microsoft 是否會在將專案發行至資源庫之前,先執行自訂視覺效果程式碼的任何安全性或隱私權評估?For Power BI visuals, does Microsoft perform any security or privacy assessment of the custom visual code prior to publishing items to the Gallery?

  • 不可以。No. 客戶應負責檢閱自訂視覺效果程式碼,並判斷程式碼是否可靠。It is the customer's responsibility to review and determine whether custom visual code should be relied upon. 因為所有自訂視覺效果程式碼都會在沙箱環境內執行,所以自訂視覺效果中的不當程式碼並不會對 Power BI 服務的其他部分造成影響。All custom visual code is operated in a sandbox environment, so that any errant code in a custom visual does not adversely affect the rest of the Power BI service.

有其他 Power BI 視覺效果會在客戶網路外傳送資訊嗎?Are there other Power BI visuals that send information outside the customer network?

  • 可以。Yes. Bing 地圖服務和 ESRI 視覺效果會因使用這些服務的視覺效果而在 Power BI 服務外傳輸資料。Bing Maps and ESRI visuals transmit data out of the Power BI service for visuals that use those services.

針對範本應用程式,Microsoft 是否會在將專案發行至資源庫之前,先執行範本應用程式的任何安全性或隱私權評估?For Template Apps, does Microsoft perform any security or privacy assessment of the Template app prior to publishing items to the Gallery?

  • 不可以。No. 應用程式發行者負責內容,而客戶必須負責審查並判斷是否信任範本應用程式發行者。The app publisher is responsible for the content while the customer's responsibility to review and determine whether to trust the Template app publisher.

是否有可將資訊傳送至客戶網路外的範本應用程式?Are there Template apps that can send information outside the customer network?

  • 可以。Yes. 客戶必須負責審查發行者的隱私權原則,並決定是否要在租使用者上安裝範本應用程式。It is the customer's responsibility to review the publisher's privacy policy and determine whether to install the Template app on Tenant. 此外,發行者也會負責通知應用程式的行為和功能。Furthermore, the publisher is responsible to notify of the app's behavior and capabilities.

那麼資料主權呢?我們可以在位於特定地理位置的資料中心布建租使用者,以確保資料不會離開國家/地區框線嗎?What about data sovereignty? Can we provision tenants in data centers located in specific geographies, to ensure data doesn't leave the country borders?

  • 特定地理位置中的某些客戶可在國家/地區雲端中建立租用戶,其中的資料儲存和處理會和所有其他資料中心分開。Some customers in certain geographies have an option to create a tenant in a national cloud, where data storage and processing is kept separate from all other datacenters. 因為有獨立的資料信任者代表 Microsoft 負責運作國家/地區雲端 Power BI 服務,所以國家/地區雲端的安全性類型稍有不同。National clouds have a slightly different type of security, since a separate data trustee operates the national cloud Power BI service on behalf of Microsoft.

    客戶也能在特定區域設定租用戶,但該類租用戶不會有 Microsoft 提供的個別資料信任者。Alternatively customers can also set up a tenant in a specific region, however, such tenants do not have a separate data trustee from Microsoft. 國家/地區雲端和正式運作之商用 Power BI 服務的定價不同。Pricing for national clouds is different from the generally available commercial Power BI service. 如需國家/地區雲端的 Power BI 服務可用性詳細資訊,請參閱 Power BI 國家/地區雲端For more information about Power BI service availability for national clouds, see Power BI national clouds.

Microsoft 如何將連接視為具有 Power BI Premium 訂用帳戶的客戶?這些連線與針對非 Premium Power BI 服務所建立的連線不同嗎?How does Microsoft treat connections for customers who have Power BI Premium subscriptions? Are those connections different than those established for the non-Premium Power BI service?

  • 為具有 Power BI Premium 訂閱的客戶所建立的連線會實施 Azure 企業對企業 (B2B) 授權程序,會使用 Azure Active Directory (AD) 來啟用存取控制和授權。The connections established for customers with Power BI Premium subscriptions implement an Azure Business-to-Business (B2B) authorization process, using Azure Active Directory (AD) to enable access control and authorization. Power BI 會處理來自 Power BI Premium 訂閱者到 Power BI Premium 資源的連線,與任何其他 Azure AD 使用者無異。Power BI handles connections from Power BI Premium subscribers to Power BI Premium resources just as it would any other Azure AD user.

結論Conclusion

Power BI 服務架構是以兩個叢集為基礎:Web 前端 (WFE) 叢集和後端叢集。The Power BI service architecture is based on two clusters – the Web Front End (WFE) cluster and the Back-End cluster. WFE 叢集負責 Power BI 服務的初始連接和驗證;驗證後,便會由後端來處理所有後續使用者互動。The WFE cluster is responsible for initial connection and authentication to the Power BI service, and once authenticated, the Back End handles all subsequent user interactions. Power BI 分別使用 Azure Active Directory (AAD) 來儲存及管理使用者身分識別,以及使用 Azure Blob 和 Azure SQL Database 來管理資料和中繼資料的儲存。Power BI uses Azure Active Directory (AAD) to store and manage user identities, and manages the storage of data and metadata using Azure Blob and Azure SQL Database, respectively.

Power BI 中的資料儲存和資料處理,會根據是否使用 DirectQuery 存取資料而有所不同,而資料在雲端或內部部署也會產生影響。Data storage and data processing in Power BI differs based on whether data is accessed using a DirectQuery, and is also dependent on whether data sources are in the cloud or on-premises. Power BI 也能實施資料列層級安全性 (RLS),以及和提供內部部署資料存取權的閘道互動。Power BI is also capable of enforcing Role Level Security (RLS) and interacts with Gateways that provide access to on-premises data.

意見反應與建議Feedback and Suggestions

歡迎提供意見反應。We appreciate your feedback. 期盼您對改進、新功能、對本白皮書的闡明或其他和 Power BI 相關的內容提出建議。We're interested in hearing any suggestions you have for improvement, additions, or clarifications to this whitepaper, or other content related to Power BI. 將您的建議傳送至 pbidocfeedback@microsoft.comSend your suggestions to pbidocfeedback@microsoft.com.

其他資源Additional Resources

如需更多有關 Power BI 的資訊,請參閱以下資源。For more information on Power BI, see the following resources.