Solved: Re: what is the best security design to share dash...

henrywflaw · ‎09-18-2016

Hello guys, we are developing dashboards for individual department, for instance, one dashboard for sales departent, one for HR department, one for finance department, and one for planning department, etc. For each department, we allow the department head to view their departmental dashboard. However, the department head cannot see dashboard of other department. For the managment team, they are obviously eligible to view all department dashbords. We would like to see how a security design best fit for this requirement. We consider 2 options and please give us some advise which is best or bad. Or it may have option 3, 4, which I may not be aware of. Thank you.

Option 1 - Create O365 groups for each department and one for management group. Grant access to each dashboard to its department group and management group. Pros - easy management and easy understanding; cons - management team have a lots of dashboard in his/her dashboard list

Option 2 - Instead of create one dashboard one department, combine all reports to one big dashboards. That means one big dashboard and it has different reports for different departments. Use row-level security to control the access. Department A user can see dashboard of department A. However, even department A user can see the report for department B (because a big dashboard) but department A user has no row-level access so a blank department B report will show for department A user. Pros - one dashboard object for management team; cons - department user will have a big dashboard for all reports but most of reprot are blank becuase department user has right to see his/her department report only.

Option 3, 4 -????

ankitpatira · ‎09-18-2016

@henrywflaw

Option 3 - What I would do is create group workspace for each department only (not management) and add members of management to each of those groups. So you end up with 4 groups for each department and management can go to any group they want to see dashboard for. Obviously there is no clear do this or that answer here as it depends on your requirement.

Option 4 - Publish pbix file to one group workspace. Then in that group workspace create dashboards for each department and publish it as a content pack that is shared with People of each department ie create content pack HR with dashboard HR and report and dataset that is shared with people belonging to HR deparmtnent. Then those people go to their personal workspace -> Get Data -> My organisation -> Get content pack and they will only see HR content pack.

I think option 4 would suit best in my opinion to distribute dashboards and reports this way. RLS is also good as it means you have less development (less number of pbix) files to develop. You have one pbix file that gets published to one group workspace and everyone sees that depending on their access level.

There is no best / worst option here as it depends on your requirements / future roadmap and the approach you're most comfortable with.

View solution in original post

v-haibl-msft · ‎09-19-2016

I also prefer the option 4 provided by ankitpatira. It should be able to meet your requirements.

Best Regards,

Herbert

ankitpatira · ‎09-18-2016

@henrywflaw

Option 3 - What I would do is create group workspace for each department only (not management) and add members of management to each of those groups. So you end up with 4 groups for each department and management can go to any group they want to see dashboard for. Obviously there is no clear do this or that answer here as it depends on your requirement.

Option 4 - Publish pbix file to one group workspace. Then in that group workspace create dashboards for each department and publish it as a content pack that is shared with People of each department ie create content pack HR with dashboard HR and report and dataset that is shared with people belonging to HR deparmtnent. Then those people go to their personal workspace -> Get Data -> My organisation -> Get content pack and they will only see HR content pack.

I think option 4 would suit best in my opinion to distribute dashboards and reports this way. RLS is also good as it means you have less development (less number of pbix) files to develop. You have one pbix file that gets published to one group workspace and everyone sees that depending on their access level.

There is no best / worst option here as it depends on your requirements / future roadmap and the approach you're most comfortable with.

trebgatte · ‎09-18-2016

Do they have to use the same data model? One thing I advise organizations to consider is the use of many small data models instead of one big one for everyone. Reporting requirements change often and typically diverge between organizations. I'd personally lean toward Option 1. However, the use of groups requires a Power BI pro license for all users. You've not mentioned the licensing yet in your proposal so I thought I'd bring that up.

If you go the small focused model route, you can share each model directly with your target audience, without using Groups. This would allow the use of the free license.

Hopefully this gives you some ideas to consider.

Treb Gatte | Business Solutions MVP | Power BI Recordings | @tgatte | Blog

what is the best security design to share dashboard to individual dept head and management team

Helpful resources

Microsoft Fabric Learn Together

Power BI Monthly Update - April 2024

Fabric Community Update - April 2024