Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
KarolisAusra
Frequent Visitor

Explicitly restrict access to a report for a chosen user group

‎03-05-2021 07:36 AM

Hello 👋 

 

In Power BI Service I can grant access to a report or workspace for certain users or user groups. That is fine.

But is there a possibility in Power BI Service to explicitly deny access for a certain security group (AD group) e.g. on report (or workspace) basis thus overruling/removing the granted access for persons who (also) happen to be members of the restricted group.

 

Here is a practical example of the above problem:

Some report owner shared the report with several persons without knowing, that some of the persons belong to a (AD) user group, which should not be allowed to see the report at all (it is not a question of rls - the user group should not be allowed to see / open the report in general).

 

Now if there would be a possibility to restrict access for a certain (AD) user group, the report owner (knowing that this group should not see the report), could add a restriction for this AD group, which would overrule/remove the personal access granted for all users who are (also) members of the restricted group. In that case the report owner does not have to worry about whether the user in question is a member of the restrictive group or not - this rule would automatically apply.

Furthermore, if a user was not a member of the restricted group at the time the report was created, but became a member of that group later on, his access would be removed automatically by the same rule (without any action taken by the report owner).

 

So comming back to my question - is this setup possible? (I could not find a way to restrict access in Power BI Service and I also did not find any similar post in the forum).

 

Thank you

Best regards

Karolis

 

Labels:
Message 1 of 4
1,051 Views
0
3 REPLIES 3
v-yangliu-msft
Community Support
Community Support

‎03-09-2021 12:58 AM

Hi  @KarolisAusra ,

 

Sorry, Power bi does not support this function for the time being. It can only be solved by removing the user's reshare permission fundamentally.

 

You can put forward your ideas in this URL, and people who have the same ideas can vote together:

https://ideas.powerbi.com/ideas/

 

Best Regards,

Liu Yang

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 4 of 4
967 Views
0
KarolisAusra
Frequent Visitor

‎03-08-2021 01:40 AM

Hi Liu @v-yangliu-msft 

 

thank you for the prompt reply. But unfortunetaly this does not solve my issue, because I do want to let my report owners to decide to whom the reports should be shared. 

BUT: as the report owners are ordinary people who make mistakes, they may share a report to people, who (per definition of an AD-Group) should not be allowed to see the report (without the report owner knowing, that the person is a member of this AD group, or the report owner forgot to doublecheck etc. etc.). Even if the report owner does his job perfectly and doublechecks all users not to be a member of a certain AD-Group before sharing the report, this may change in future (so after X months, a person changes departments and becomes a member of this AD-Group X, which should not see the report!). As a result the person in question would still able to see the report (because the report is shared with him personally). 

 

So we need an option to define a "negative" list of AD-groups on report (or workspace) basis, telling Power BI Service to override all "positive" authorizations if they are conflicting with the "negative" list. So in our example if a report is shared with "John", but at the same time there is a restriction for the "department-c" AD-Group, and John becomes a member of the "department-c" AD-Group sometime later, then from the day he becomes a member of this group, he will not be able to see the report anymore due to the restriction (even though John is still on the "positive" list as well!). Please note, that the report owner did not have to worry about this and no one had to manage anything, other than just adding the restricted AD-group once after publishing. So this process is completely automatic.

So again back to my question - is there a possibility to add restrictions (restricted AD-groups or persons) on report or workspace level explicitly or to achieve this in any similar way?

Message 3 of 4
983 Views
0
v-yangliu-msft
Community Support
Community Support

‎03-08-2021 01:11 AM

Hi  @KarolisAusra ,

If you don’t want them to be free to share the report, you can do so.

 

Delete its sharing permission in the data set of the report:

1. Select a data set, click the ellipsis to find Manage permission

v-yangliu-msft_0-1615194666296.png

2. Remove reshare.

v-yangliu-msft_1-1615194666299.png

 

If you set its role as a contributor in the workspace, you cannot add members to the workspace and will not have sharing permissions:

v-yangliu-msft_2-1615194666301.png

 

Best Regards,

Liu Yang

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 2 of 4
997 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All