July 7, 2018 at 5:38 am
Dear all,
I have this information from my company:
| 14
| Protection
| 2.9
| Export
|
|
How are yu doind to avoid this?
Thank you.
July 7, 2018 at 6:01 am
What is your question here exactly? Rather than giving us a tiny snippet of what you've been told, can you, instead, explain more what you want and need to achieve e for your environment? We don't have access to your system, so we don't know how it works, how people access it, what your application is, etc. If you're explicitly talking about bulk operations, then only those with permissions can do them; do you have those permissions enabled for the "average" user?
Thom~
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
Larnu.uk
July 7, 2018 at 6:24 am
Thom A - Saturday, July 7, 2018 6:01 AMWhat is your question here exactly? Rather than giving us a tiny snippet of what you've been told, can you, instead, explain more what you want and need to achieve e for your environment? We don't have access to your system, so we don't know how it works, how people access it, what your application is, etc. If you're explicitly talking about bulk operations, then only those with permissions can do them; do you have those permissions enabled for the "average" user?
Further on Tom's good answer, limit the access to the critical information to few trusted individuals is about the only option, if you can select the information in any way, shape or form, then you can export them.
π
My thought is that if systems are not designed properly from the ground up, this is very hard to avoid. Think for example, an employee receives critical information for input for entry into a system, either by email or other means. What is there to prevent that employee from archiving the information? Or if someone can select the information in SSMS or any other SQL query tool, then exporting the data is no more than a copy/paste exercise.
One of the methodologies is to encrypt the information and decrypt the information in a trusted application layer which controls the decryption by user's role. Trying to built such functionality as a bolt on to a system is most often a futile exercise, hence it has to be incorporated in the design.
July 7, 2018 at 9:57 am
sorry. Let me had more verbose to it.
This is a MSBI reporting tool.
We consume infromation from an oracle DB into our staging area using SSIS. Then we move that information into Data mart. again using SSIS. Then we process our cube (tabular).
The user have reports (excel adhoc reports and usual SSRS reports). They access this reports through our sharepoint.
1) They can extract several infromation using this excel reports (according o the limits of excel in terms of number of rows).
2 There are no uers that can connect directly to our cubes or DM and do BCP or other operations.
Here is the request and some comments:
Do we allow bulk data export in MSBI Not a standard functionality, but if users wanted theycould use an Ad-hoc report, pull in all attributes into the columns, and do anexport to Excel. Excel would have some limitations of XXX rows per export.
If yes, is there an approval and audit trailavailable? (I guess I know the answer alreadyβ¦) No. But as today, there are several other measure inplace to avoid misuse of Finance data 1) any user must haven a company email addressand 2) must order access to our application and be approved in SNOW and 3) withDRM-Digital rights Management, once in place likely by next year, this willprevent any sharing of Excel downloads outside the approved user group andprevent any sending of Excel files via email
I think it would be interesting to understand if someone has ideas about this.
One of the ideas is that we should maybe have a data classification where, per attribute we classify data as confidencial, semi-confidencial and non-confidencial. The users that do not have permissions to see would see the data as scrumble data.
Do you have any additional ideas? thank you
July 8, 2018 at 1:17 am
river1 - Saturday, July 7, 2018 9:57 AMsorry. Let me had more verbose to it.This is a MSBI reporting tool.
We consume infromation from an oracle DB into our staging area using SSIS. Then we move that information into Data mart. again using SSIS. Then we process our cube (tabular).
The user have reports (excel adhoc reports and usual SSRS reports). They access this reports through our sharepoint.
1) They can extract several infromation using this excel reports (according o the limits of excel in terms of number of rows).
2 There are no uers that can connect directly to our cubes or DM and do BCP or other operations.Here is the request and some comments:
Do we allow bulk data export in MSBI Not a standard functionality, but if users wanted theycould use an Ad-hoc report, pull in all attributes into the columns, and do anexport to Excel. Excel would have some limitations of XXX rows per export.
If yes, is there an approval and audit trailavailable? (I guess I know the answer already…) No. But as today, there are several other measure inplace to avoid misuse of Finance data 1) any user must haven a company email addressand 2) must order access to our application and be approved in SNOW and 3) withDRM-Digital rights Management, once in place likely by next year, this willprevent any sharing of Excel downloads outside the approved user group andprevent any sending of Excel files via email
I think it would be interesting to understand if someone has ideas about this.One of the ideas is that we should maybe have a data classification where, per attribute we classify data as confidencial, semi-confidencial and non-confidencial. The users that do not have permissions to see would see the data as scrumble data.
Do you have any additional ideas? thank you
You state here that some users have Excel Ad-Hoc query functionality - if this is indeed the case then there is no limit to the amount of data they can export other than security blocking particular columns/rows from being read.
Reason for this is that although Excel has a limit of rows it can load onto a spreadsheet there is nothing preventing the user from exporting directly to a text file unless you also completely remove the VBA functionality from those users.
Even at that if the user has the ad-hoc access then that means that he can access the DB directly so disabling is a moot point unless you also disable/block a lot more.
July 8, 2018 at 1:53 am
frederico_fonseca - Sunday, July 8, 2018 1:17 AMriver1 - Saturday, July 7, 2018 9:57 AMsorry. Let me had more verbose to it.This is a MSBI reporting tool.
We consume infromation from an oracle DB into our staging area using SSIS. Then we move that information into Data mart. again using SSIS. Then we process our cube (tabular).
The user have reports (excel adhoc reports and usual SSRS reports). They access this reports through our sharepoint.
1) They can extract several infromation using this excel reports (according o the limits of excel in terms of number of rows).
2 There are no uers that can connect directly to our cubes or DM and do BCP or other operations.Here is the request and some comments:
Do we allow bulk data export in MSBI Not a standard functionality, but if users wanted theycould use an Ad-hoc report, pull in all attributes into the columns, and do anexport to Excel. Excel would have some limitations of XXX rows per export.
If yes, is there an approval and audit trailavailable? (I guess I know the answer already…) No. But as today, there are several other measure inplace to avoid misuse of Finance data 1) any user must haven a company email addressand 2) must order access to our application and be approved in SNOW and 3) withDRM-Digital rights Management, once in place likely by next year, this willprevent any sharing of Excel downloads outside the approved user group andprevent any sending of Excel files via email
I think it would be interesting to understand if someone has ideas about this.One of the ideas is that we should maybe have a data classification where, per attribute we classify data as confidencial, semi-confidencial and non-confidencial. The users that do not have permissions to see would see the data as scrumble data.
Do you have any additional ideas? thank youYou state here that some users have Excel Ad-Hoc query functionality - if this is indeed the case then there is no limit to the amount of data they can export other than security blocking particular columns/rows from being read.
Reason for this is that although Excel has a limit of rows it can load onto a spreadsheet there is nothing preventing the user from exporting directly to a text file unless you also completely remove the VBA functionality from those users.
Even at that if the user has the ad-hoc access then that means that he can access the DB directly so disabling is a moot point unless you also disable/block a lot more.
If the user has the PowerPivot add-in for Excel, then there are practically no limits to the number of rows the user can export.
π
July 8, 2018 at 11:29 am
Eirikur Eiriksson - Sunday, July 8, 2018 1:53 AMfrederico_fonseca - Sunday, July 8, 2018 1:17 AMriver1 - Saturday, July 7, 2018 9:57 AMsorry. Let me had more verbose to it.This is a MSBI reporting tool.
We consume infromation from an oracle DB into our staging area using SSIS. Then we move that information into Data mart. again using SSIS. Then we process our cube (tabular).
The user have reports (excel adhoc reports and usual SSRS reports). They access this reports through our sharepoint.
1) They can extract several infromation using this excel reports (according o the limits of excel in terms of number of rows).
2 There are no uers that can connect directly to our cubes or DM and do BCP or other operations.Here is the request and some comments:
Do we allow bulk data export in MSBI Not a standard functionality, but if users wanted theycould use an Ad-hoc report, pull in all attributes into the columns, and do anexport to Excel. Excel would have some limitations of XXX rows per export.
If yes, is there an approval and audit trailavailable? (I guess I know the answer already…) No. But as today, there are several other measure inplace to avoid misuse of Finance data 1) any user must haven a company email addressand 2) must order access to our application and be approved in SNOW and 3) withDRM-Digital rights Management, once in place likely by next year, this willprevent any sharing of Excel downloads outside the approved user group andprevent any sending of Excel files via email
I think it would be interesting to understand if someone has ideas about this.One of the ideas is that we should maybe have a data classification where, per attribute we classify data as confidencial, semi-confidencial and non-confidencial. The users that do not have permissions to see would see the data as scrumble data.
Do you have any additional ideas? thank youYou state here that some users have Excel Ad-Hoc query functionality - if this is indeed the case then there is no limit to the amount of data they can export other than security blocking particular columns/rows from being read.
Reason for this is that although Excel has a limit of rows it can load onto a spreadsheet there is nothing preventing the user from exporting directly to a text file unless you also completely remove the VBA functionality from those users.
Even at that if the user has the ad-hoc access then that means that he can access the DB directly so disabling is a moot point unless you also disable/block a lot more.If the user has the PowerPivot add-in for Excel, then there are practically no limits to the number of rows the user can export.
π
In other words, if you want to prevent the user from downloading more than they should, they must not have access. Instead, PROVIDE them only with the reports they need. π
--Jeff Moden
Change is inevitable... Change for the better is not.
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply