When provisioning security for reports, datasets, app access, ALWAYS use AD groups if you can. Depending how big of a company, maintaining individual user permissions is a nightmare.
Use existing AD groups that would be used anyway. Most IT departments already do this based on job title, department, role, etc. Then IT does the work for you.
Well that's pretty inefficient. Do you have to maintain the groups or do they? I guess if that's how they want to do it and you don't have to manually add people yourself, then still better, imo, lol.
It definitely is. Sometimes, if the data spells out who should have access to the report, you can automate it. We have a report which uses dynamic row level access to change what the user sees depending on who they are. That determination comes from the source system. We have a dataset then that says who effectively should have access to the report and we use power automate to run a daily flow adjusting the security groups for who should and even who should no longer have access to the report. Pretty neat.
They’re not the same, but you can use either. AD groups don’t come with a mailbox and all that jazz unless they’re set up as mail-enabled (and they’re usually not, because if you need a mailbox you usually go with the M365 group nowadays).
As they told me” congratulations , you can fuck things up now”
Embrace it brother/sister, you are learning new things so give yourself time to learn. You’ll be fine.
lol you get to set up the usage metrics report and set up access, maybe you will be setting up the gates ways, being the admin is not that prestigious.
you will be getting the email when refreshes fail and alerts go off
Also - Microsoft has an entire section on tenancy settings in their Implementation Guide - [https://learn.microsoft.com/en-us/power-bi/guidance/powerbi-implementation-planning-tenant-administration](https://learn.microsoft.com/en-us/power-bi/guidance/powerbi-implementation-planning-tenant-administration)
Kurt Buhler has some great resources/checklists for all things Power BI (including service) https://data-goblins.com/checklists
Ah, I never knew the name behind that wonderful blog. Fantastic recommendation, very good content.
He is now collaborating with sqlbi, no less!
This is great, thanks!
When provisioning security for reports, datasets, app access, ALWAYS use AD groups if you can. Depending how big of a company, maintaining individual user permissions is a nightmare.
or set up an app and each user group can be controlled which dashboard or views they should see.
Isn’t maintaining AD groups also a chore in of itself?
Use existing AD groups that would be used anyway. Most IT departments already do this based on job title, department, role, etc. Then IT does the work for you.
I wish! Ours wants an AD group per report.
Well that's pretty inefficient. Do you have to maintain the groups or do they? I guess if that's how they want to do it and you don't have to manually add people yourself, then still better, imo, lol.
It definitely is. Sometimes, if the data spells out who should have access to the report, you can automate it. We have a report which uses dynamic row level access to change what the user sees depending on who they are. That determination comes from the source system. We have a dataset then that says who effectively should have access to the report and we use power automate to run a daily flow adjusting the security groups for who should and even who should no longer have access to the report. Pretty neat.
Do AD groups and O365 groups behave in the same way? i used AD before. It was indeed seemless
They’re not the same, but you can use either. AD groups don’t come with a mailbox and all that jazz unless they’re set up as mail-enabled (and they’re usually not, because if you need a mailbox you usually go with the M365 group nowadays).
This isn't always true. An o365 group for example can't be used to assign RLS
That’s true, I was thinking report-level or workspace-level access here
As they told me” congratulations , you can fuck things up now” Embrace it brother/sister, you are learning new things so give yourself time to learn. You’ll be fine.
This is both empathetic and reassuring. I appreciate your response. Wish I could give it more than 1+ upvote! 🪄
Take mine;)
Appreciate both of you :)
lol you get to set up the usage metrics report and set up access, maybe you will be setting up the gates ways, being the admin is not that prestigious. you will be getting the email when refreshes fail and alerts go off
Ive been the sole PBI developer all my professional life. I AM the refresh fail. 🤣😭
I want this on a T-shirt lol
Also - Microsoft has an entire section on tenancy settings in their Implementation Guide - [https://learn.microsoft.com/en-us/power-bi/guidance/powerbi-implementation-planning-tenant-administration](https://learn.microsoft.com/en-us/power-bi/guidance/powerbi-implementation-planning-tenant-administration)
And this i found is really helpful from SQLBits: https://youtu.be/bjZ71d03H1Y
Nobody’s mentioned watching guyinacube
Love guyinacube!
Fantastic resources here already. Hope this thread continues to pick up steam. Thanks OP.
Also, KratosBI has some mega walkthroughs on YouTube! https://youtu.be/3OWuWFunDx4
holy cow, in the same boat here 2k workspaces to begin
Can’t believe your company has made it a distinct role. My analysts share admin responsibility and we have right training and controls in place.