Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.
Power BI community, we’ve just purchased our premium license to Power BI, and we’re running in to some security issues which are highly confusing. The specific tests were doing:
The behaviors we’re seeing are:
Last and not least - we flip the workspace from members having "Members can edit Power BI content" to them only having read only access. When we do this - our test user is no longer able to log in to the workspace at all - he gets the "you must upgrade to pro" message immediately. And he's unable to see the data set through Power BI desktop. I thought purchasing Premium was supposed to allow non-pro users to see the content. If not, why are we paying for this?
Just trying to understand the behavior we’re seeing - it's very confusing.. Thanks in advance for any help!
Scott
Solved! Go to Solution.
Hi GilbertQ,
all of these tests were performed using a free (non-pro) user. Haven't gotten to testing the pro users yet!
Thanks!
Scott
Hi Gilbert, not sure how to answer "are other questions working as expected". I think if I boil down my test cases, it comes out to a couple of fundamental principles I just don't understand:
- Edit vs. Read Only membership - I expect "Read Only" membership to allow users to see reports and data sets, but not change / delete / add new ones. I expect "edit" membership to allow them to change/delete/add. This appears not to be the case - if the workspace is "read only" for members, then in Power BI desktop they can't even see the datasets using the get data "From Power BI Service" option. But if workspace is set to "edit" they can. So it seems that "Edit" vs. "Read Only" is not just controlling the read/writeability - it's actually removing access completely when set to read only?
- Power BI Desktop vs. Web interface - I expect permissions to work the same in the desktop tool vs. in the web interface, but this also appears not to be the case. With workspace membership set to "edit", a non-pro user in Power BI desktop can use the dataset with "get data from Power BI service", create a new report, and then publish that report into the workspace. But through the web interface, a non-pro member can't click on a dataset and choose "create report".
I'm at a loss how to explain this to end users...it should be very simple, rules like "read only access means you can read only and not change", and "non-pro users can't publish, pro users can". But both of these statements are demonstrably false, and in ways that don't make sense to any logic I can see.
I'm hoping there is some simple "point of view" that once pointed out to me, this will all magically make sense. But my current suspicion is that things just don't make any sense, and I'm going to be stuck trying to train users on things that contradict themselves.
Sorry, not intending to rant...but how hard can this be?
Thanks,
Scott
Hi Gilbert, your way is a much better way to think about it - but we have three user groups, not two:
1. Consumers - who should be able to just consume predefined reports and dashboards. We'll set these up as non-pro users with access to Power BI applications
2. Data Analysts - aka pro users, with the ability to author reports and dashboards, and create new datasets and/or modify existing data sets
3. Data explorers. This is the part where I don't have a good answer. We want these users to be able to use data sets defined by others (i.e. no ability to update data sets), but to create their own reports as they browse. I'd also prefer if they couldn't write overtop of other people's reports. Right now, if we give them "edit" access to a workspace they can overwrite or delete other peoples reports. I'm unsure how to satisfy what we'd like to do
It's the data explorers I'm really stuck on how to help. I really appreciate your input - any ideas? Thank you for taking the time to respond to these!
Scott
I think (???) the direction we may go is to have the data explorers actually get Power BI desktop but not a pro license, and then ask them to use the "Get data from Power BI service" to connect to the models...but ask them not to publish anything in the service. Unfortunately, as members of the workspace, if the workspace is set to "edit" then the explorers could overwrite the golden data sets. And if the workspace is set to read only, then they can't see it at all.
Hopefully MS comes up with more granular ways to control security soon.
Thanks again for your help and ideas! I really appreciate it!
Scott
Hi there
Yeah it is a bit tricky at the moment, but I know that they are working on getting a better enterprise experience.
Hi Gilbert, have you seen any timelines on how far away "improved enterprise experience" is? Sometime soon, or are will still months / years away?
Thanks!!!
Scott
Fair enough, thanks for the info!
Scott
Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City
Check out the April 2024 Power BI update to learn about new features.