We embed a Power BI dashboard in a site. We currently protect some tables using RLS. There are however some tables that also contains data not everyone may see, but we cannot protect using a simple DAX expression.
My question is whether this data is secure as long as we don't expose any component in the dashboard that displays this data? Or is there maybe a way for someone to get around the components and directly query the underlying dataset?
It depends how is this dashboard embedded. If you are using the JS client with the API, and the user who see the report has rights to edit or create, then it could change the report and access the data in the tables not currently exposed in the existing one. If the user has rights only to view it, then the data is safe.
So if you are using user owns data scenario, make sure that users has only view rights on the report. If you are using app owns data scenario, make sure the embed token is generated with view rights only (i.e. token access level is view).
Another option to access arbitrary data is the Q&A visual.
