Sensitivity labels, also called Microsoft Information Protection sensitivity labels, makes it possible to protect the sensitive data. At the time of writing this post, sensitivity labels can be applied in both Power BI Desktop (preview feature) and Power BI Service.
Sensitivity labels can be applied to datasets, reports, dashboards and dataflows. Sensitivity label is inherited from data source (Azure Synapse Analytics, and Azure SQL Database), inherited upon creating new content (dataset to reports and dashboards), and exporting data from Power BI to Excel / PDF / PowerPoint files.
Power BI allows the user to change sensitivity label later but the label will affect only the selected content. This means the label does not trickle down to the downstream contents. For datasets, its downstream items can be other datasets, reports and dashboards. For reports, its downstream items can be dashboards.
This has changed! Power BI service now supports downstream inheritance (in preview).
There are two modes to enable downstream inheritance – user consent, fully automated downstream inheritance. Power BI admin should decide which mode should be used across the tenant
In user consent (default mode), when the user applies the label they can choose whether to apply the label to downstream content.
When the “Apply this label …” checkbox is selected, the label will be applied to downstream content only after satisfying the following conditions
- The user should be authorized to change the sensitivity label of downstream items
- The user should have edit permission on the downstream items.
If the label applied on either dataset or reports should be automatically propagated to downstream items with out regard to the above permissions, then Power BI admin can turn on “Automatically apply sensitivity labels to downstream content (preview)” in Admin portal
It is important to note downstream inheritance NEVER
- Overwrites manually applied labels
- Overwrites labels on downstream content with less restrictive labels
- Applies beyond 80 items
This is a great improvement! It saves duplicate effort of applying the label across the downstream contents.
As I was trying this feature, I made two observations.
- “See the downstream items in lineage view” doesn’t show the downstream items rather it shows all upstream and downstream. Hope this will be fixed.
- If the sensitivity label should be removed, I don’t find a way to remove it across the downstream items.