9.1.7 Ensure shareable links are restricted

Information

Creating a shareable link allows a user to create a link to a report or dashboard, then add that link to an email or another messaging application.

There are 3 options that can be selected when creating a shareable link:

People in your organization

People with existing access

Specific people

This setting solely deals with restrictions to People in the organization. External users by default are not included in any of these categories, and therefore cannot use any of these links regardless of the state of this setting.

The recommended state is Enabled for a subset of the organization or Disabled.

Rationale:

While external users are unable to utilize shareable links, disabling or restricting this feature ensures that a user cannot generate a link accessible by individuals within the same organization who lack the necessary clearance to the shared data. For example, a member of Human Resources intends to share sensitive information with a particular employee or another colleague within their department. The owner would be prompted to specify either People with existing access or Specific people when generating the link requiring the person clicking the link to pass a first layer access control list. This measure along with proper file and folder permissions can help prevent unintended access and potential information leakage.

Impact:

If the setting is Enabled then only specific people in the organization would be allowed to create general links viewable by the entire organization.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Restrict shareable links:

Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal

Select Tenant settings.

Scroll to Export and Sharing settings.

Set Allow shareable links to grant access to everyone in your organization to one of these states:

State 1: Disabled

State 2: Enabled with Specific security groups selected and defined.

Important: If the organization doesn't actively use this feature it is recommended to keep it Disabled.

Default Value:

Enabled for Entire Organization

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2

Plugin: microsoft_azure

Control ID: 795530259660e54c608f89536547f9f7bb26c3ad5903636e6e477de63ead1c77