Power BI Custom Visuals: development, security, and updates

Hi folks,

I’m Daniele, creative designer and web developer.
In this shiny new blog, I and my teammates from SQLBI will publish insights and news about Microsoft Power BI and custom visual development.

Just a moment, you know what is a custom visual, right?
No? Well, let’s start from here…

What is a custom visual?

" In Power BI, there are several built-in components, such as different kind of charts, tables and maps. You can drag these components on the canvas area and use them to build beautiful reports. Those components are called visuals.
A custom visual is simply a component not included as part of native visuals in Power BI, and anyone can create custom visuals using the specific API, extending the native features available in Power BI. More important, you can add custom visuals created by other developers to your own report, and Microsoft provides a public repository in the Power BI Visuals Gallery.

Is it so simple to create and publish new visuals? Not really, because custom visuals are subject to some security restrictions and revision for approval by Power BI team in order to be published in the Power BI Visuals Gallery.
To go deeper on the topic, take a look at this article.

What is the story about OKViz and custom visuals?

In the past year, we fell in love with Power BI and saw its potential, despite it was at an early stage. So, with the Microsoft Best Visual Contest of 2015, we started to build some custom visuals that became hugely popular. One of these, the Bullet Chart, won the People Choice award, and another one, the Synoptic Panel, won the first prize of the contest.
Thereafter, we put all these activities under the OKViz brand, a spin-off of SQLBI.

But all that glitters is not gold. In the following months, because of the youth of the platform, users of our visuals encountered annoying issues at nearly every Power BI update. Most of these errors could not be even anticipated by the developers (us).

So what? Should I use custom visuals in my company reports, or not?

The previous situation is now changing.
Microsoft just released a new – not yet complete – better documented API for development of custom visuals, so you can expect more stable components in the near future (we hope so).

Anyway, there are some things you should care when using third-party visuals in your reports:

  • Security
  • Updates

Are custom visuals secure?

Take a step back.
Power BI (both service and desktop) is based on a web browser rendering engine. So every chart and table is made of a mix of HTML, SVG, JavaScript, and CSS. A custom visual does not differ too much from native visuals, except that it runs inside an Inline Frame (iframe). This is an important security restriction: it prevents a custom visual to access other charts in the report.
However, this is not enough to protect the data that you explicitly bind to the component itself, in case you are not able to read the component’s source code and/or you do not trust its developer.

The Power BI Visuals Gallery seems to be the key.
If you use a custom visual that exists in the gallery, you should be safe, because Microsoft already made security checks for you.
What happens if the component does not come from the gallery? There is an automatically security enforcement called sandbox.

Because it is not publicly documented, we did some internal tests to verify what are the limits that it imposes: one of the most remarkable fact is that the sandboxed visuals can communicate with remote URLs. Lovely… or not?

From a certain point of view, this is an expected behavior: a company that uses custom visuals developed internally (which cannot be in the public Power BI Gallery), should be able to communicate with its intranet services.
However, on the other side, a risk exists: unfair developers could steal your data or just profile you.
So, be careful!

Please note that our components (also the ones that are not published in the gallery) don’t steal nor analyze your data  (and will never do it). Some telemetry might just record the frequency of used features. You can verify this statement by just using an HTTP(s) traffic sniffer like Fiddler.

What about the custom visuals update?

The update of these components is a critical point.
Recently Microsoft introduced a nifty, but risky, new feature: automatic updates for custom visuals released in the gallery.
How does it work? Simply, when a new version of a visual is available in the Power BI Gallery, all the reports using other versions (published online in the Power BI Service or local PBIX files on computers connected to Internet) are updated. Automagically.
Sounds good, right? Quite good…

Consider the following case: a user found a new, severe bug in your visual. He reports it to you, and you fix the code as soon as possible. Then what? You cannot send the new version directly to him, because it would be downgraded by Power BI until the new version will not appear in the Power BI Gallery. Therefore, you have to send it to Microsoft and you have to wait for its review.

And what happens if you want to update custom visuals that are not in the gallery (a common case with components built internally in a company)?
You have to do it manually, for every single report. Ouch!

In conclusion

Power BI and custom visuals are very interesting technologies. We love them, and we tolerate their flaws because they are in constant evolution.

In the next few weeks we will migrate all our visuals to the new API, just subscribe here to be updated or come back soon!