Access and Permissions For Power BI
Access and Permissions For Power BI
Table of Contents
1. Workspace Access and Roles.....................................................................2
2. App Permissions.........................................................................................3
3. Dataset Permissions...................................................................................5
4. Row-Level Security.....................................................................................5
5. Recommendation.......................................................................................6
6. Useful links.................................................................................................6
1. Workspace Access and Roles
Key notes:
Giving access to a workspace allows a user to see everything within the
workspace. End business users should not be given access to the workspace
itself (any environment).
In development and potentially the test workspace, developers should have
workspace level access.
To add or remove individuals or groups to a workspace, navigate to the access icon
on the top right corner of the workspace page and select access. Workspaces allow
you to assign roles to individuals, and to user groups such as security groups,
Microsoft 365 groups, and distribution lists.
If you have permission to grant access to other users, you will find the roles below:
2. App Permissions
Keynote: You can grant access to users for an App, but they don’t necessarily need
to have access to the workspace.
App access should be given to users and consumers of the data. By giving access to
an App, you can restrict access for users to only see a specific section or
department within the organization.
While creating an App, you can manage your audience, and for each audience
group, you may grant access to either all people in your organization or specific
users or groups. You can also expand the Advanced option to configure the
following:
Allow users to share the datasets in this app: This option gives app
consumers permission to share the app and underlying datasets of the app
audience.
Allow users to build content with the datasets in this app: This option
lets your app consumers create their own reports and dashboards based on
the app audience datasets.
You can also share the published app by selecting the Copy link button at the
bottom of the Setup page. That creates a shareable app link to share with your app
consumers
To further manage app access requests, you can find in the Apps list page, select
More Options (…) next to an app, then select manage permissions.
The Permission management page contains these tabs:
Direct access: Lists all the users who already have access to the app.
Pending access: Lists all pending requests.
3. Dataset Permissions
Permission Description
Read/App Allows user to access reports that read data from the dataset.
Allows user to build new content from the dataset, as well as find content that uses the
Build
dataset.
Allows user to share the content of the dataset with other users who will get read,
Reshare
reshare, or build permissions for it.
Write Allows user to view and modify dataset metadata.
Workspace Role
Admin Member Contributor Viewer
Read Yes Yes Yes Yes
Build Yes Yes Yes No
Reshare Yes Yes No No
Write Yes Yes Yes No
o When RLS isn't defined on the dataset, users with write, read, or build
permission on the dataset can read data from the dataset.
o When RLS is defined on the dataset:
- Users with only read or build permission on the dataset will not be
able to read data from the dataset unless they belong to one of its
RLS roles.
- Users with write permission on the dataset will be able to read
data from the dataset regardless of whether or not they belong to
any of its RLS roles.
4. Row-Level Security
Row-level security (RLS) with Power BI can be used to restrict data access for given
users. Filters restrict data access at the row level, and you can define filters within
roles. In the Power BI service, members of a workspace have access to datasets in
the workspace. RLS doesn't restrict this data access.
5. Recommendation
The recommendation for managing access and permissions within Power BI is by
using Security Groups. In that way you will be able to easily manage and control
access to users from different departments, groups, and hierarchy. As shown
previously in this document, you can assign a security group to a specific App,
workspace or even setup-up a RLS within the dataset for different security groups.
Users that will only consume data and not be part of development should be only
given access to Power BI APP.
Developers should be given access to the DEV workspace and potentially to TEST
and PROD workspaces.
6. Useful links
Create reports based on datasets from different workspaces - Power BI | Microsoft
Learn
Copy reports from other apps or workspaces - Power BI | Microsoft Learn
Control the use of datasets across workspaces - Power BI | Microsoft Learn
Intro to datasets across workspaces - Power BI | Microsoft Learn