cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
TanujBI
Regular Visitor

Automate Permission Management in Power BI Report Server (May 2020)

Hi Team,

 

I am new to powerbi as well as to their API's and looking for help/guidance to automate the permission management. My requirement is to provide the access to the Windows user comming from AD to one of the report specific folder when published in the Report server. Is it possible?

 

I also looked into API's but do not know which one to use (https://app.swaggerhub.com/apis/microsoft-rs/PBIRS/2.0 )?

 

Many thanks in advance for all the help.

1 ACCEPTED SOLUTION
d_gosbell
Super User II
Super User II

I think you'd probably use https://app.swaggerhub.com/apis/microsoft-rs/PBIRS/2.0#/Folders/SetFolderPolicies but it's probably also easier to use the Powershell tools than to call the REST endpoint directly.

 

However it depends what the logic is to map the user to a folder. I tend to avoid adding individual users to folder permissions if at all possible and instead we get AD groups created and add the group to the folder permissions. Then everyone in a given department or team just needs to be added to that AD group and they get access to all the reports they need. It's usually much easier than assigning permissions to individual users and if someone moves teams/departments it's just a matter of removing them from one group and adding them to another in AD.

View solution in original post

3 REPLIES 3
d_gosbell
Super User II
Super User II

I think you'd probably use https://app.swaggerhub.com/apis/microsoft-rs/PBIRS/2.0#/Folders/SetFolderPolicies but it's probably also easier to use the Powershell tools than to call the REST endpoint directly.

 

However it depends what the logic is to map the user to a folder. I tend to avoid adding individual users to folder permissions if at all possible and instead we get AD groups created and add the group to the folder permissions. Then everyone in a given department or team just needs to be added to that AD group and they get access to all the reports they need. It's usually much easier than assigning permissions to individual users and if someone moves teams/departments it's just a matter of removing them from one group and adding them to another in AD.

View solution in original post

Hi @d_gosbell ,

 

Many thanks for the suggestion. I ended up using the Powershell tools to complete my requirement to have permission automatically assigned (used Grant-AccessOnCatalogItem.ps1).

 

Now comming to assigning permission using groups, my organization policy did not allow me to have a group owner membership so that I can add the members on my will [need to create a ticket to IT Team for this]. In order to have a workarround, I have written Powershell script to create a local group in VM and assign permission to the Powerbi report folder as well as SQL. Do you think while creating local security group there is some security issue?

 

Would be waiting for your reply and once again thanks :).


@TanujBI wrote:

Do you think while creating local security group there is some security issue?

 


I don't think so. The main issues with local groups is that you can only use them on the one server and they can't be centrally managed. 

 

We worked with our IT dept on this and now if people need access to reports they raise an IT ticket and the help desk assigns them to the group. We use a specific prefix for reporting groups and this works well for us, but obviously it depends on how easy it is to engage with your IT team.

Helpful resources

Announcements
PBI User Groups

Welcome to the User Group Public Preview

Check out new user group experience and if you are a leader please create your group!

MBAS on Demand

Microsoft Business Applications Summit sessions

On-demand access to all the great content presented by the product teams and community members! #MSBizAppsSummit #CommunityRocks

Get Ready for Power BI Dev Camp

Power BI Dev Camp - June 24th

Mark your calendars and join us for our next Power BI Dev Camp!