Hi GilbertQ,

all of these tests were performed using a free (non-pro) user. Haven't gotten to testing the pro users yet!

Thanks!

Scott

Hi Gilbert, not sure how to answer "are other questions working as expected". I think if I boil down my test cases, it comes out to a couple of fundamental principles I just don't understand:

- Edit vs. Read Only membership - I expect "Read Only" membership to allow users to see reports and data sets, but not change / delete / add new ones. I expect "edit" membership to allow them to change/delete/add. This appears not to be the case - if the workspace is "read only" for members, then in Power BI desktop they can't even see the datasets using the get data "From Power BI Service" option. But if workspace is set to "edit" they can. So it seems that "Edit" vs. "Read Only" is not just controlling the read/writeability - it's actually removing access completely when set to read only?

- Power BI Desktop vs. Web interface - I expect permissions to work the same in the desktop tool vs. in the web interface, but this also appears not to be the case. With workspace membership set to "edit", a non-pro user in Power BI desktop can use the dataset with "get data from Power BI service", create a new report, and then publish that report into the workspace. But through the web interface, a non-pro member can't click on a dataset and choose "create report".

I'm at a loss how to explain this to end users...it should be very simple, rules like "read only access means you can read only and not change", and "non-pro users can't publish, pro users can". But both of these statements are demonstrably false, and in ways that don't make sense to any logic I can see.

I'm hoping there is some simple "point of view" that once pointed out to me, this will all magically make sense. But my current suspicion is that things just don't make any sense, and I'm going to be stuck trying to train users on things that contradict themselves.

Sorry, not intending to rant...but how hard can this be?

Thanks,

Scott

Hi Gilbert, your way is a much better way to think about it - but we have three user groups, not two:

1. Consumers - who should be able to just consume predefined reports and dashboards. We'll set these up as non-pro users with access to Power BI applications

2. Data Analysts - aka pro users, with the ability to author reports and dashboards, and create new datasets and/or modify existing data sets

3. Data explorers. This is the part where I don't have a good answer. We want these users to be able to use data sets defined by others (i.e. no ability to update data sets), but to create their own reports as they browse. I'd also prefer if they couldn't write overtop of other people's reports. Right now, if we give them "edit" access to a workspace they can overwrite or delete other peoples reports. I'm unsure how to satisfy what we'd like to do

It's the data explorers I'm really stuck on how to help. I really appreciate your input - any ideas? Thank you for taking the time to respond to these!

Scott

I think (???) the direction we may go is to have the data explorers actually get Power BI desktop but not a pro license, and then ask them to use the "Get data from Power BI service" to connect to the models...but ask them not to publish anything in the service. Unfortunately, as members of the workspace, if the workspace is set to "edit" then the explorers could overwrite the golden data sets. And if the workspace is set to read only, then they can't see it at all.  

Hopefully MS comes up with more granular ways to control security soon.

Thanks again for your help and ideas! I really appreciate it!

Scott

Hi Gilbert, have you seen any timelines on how far away "improved enterprise experience" is? Sometime soon, or are will still months / years away?

Thanks!!!

Scott

Fair enough, thanks for the info!

Scott