Hello Data Savvy people! I was hoping you could help or confirm my concerns on the below situation...
With the recent Power BI Desktop and Service updates it looks like we now have access to Shared and Certified Datasets which looks to have brought over new security privisioning in the service. I noticed all previously shared reports now have "Read, Build" permissions granted automatically to their datasets. Immediatly I disabled the new Shared Dataset feature and remove the build permissions on all of my datasets so I could vette what should and should not be shared. Interestingly enough, it was noticed that a previous report, one which users export summary data from, no longer worked in that regard. I found that the EXPORT DATA from a visualization's More Options(...) feature looks to be tied to this BUILD permission on the dataset. I bring this up becuase in some cases sharing SUMMARIZED data is fine for my customers but sharing with them the underlining data may NOT be ok. Now, if I wanted to turn on the Shared & Certified dataset feature these users would have access to start Power BI reports of their own from this dataset and potentially see sensitive information before aggregations.
Is there a way to go about setting this up to allow for the exporting of summary data from a report visualization without granting users build permissions on a dataset, basiaclly allowing them to start new reports and see underlying data?
Thank you for the suggestion to implement Apps as an additional layer but this still does not solve my security concern. I am able to share through an App but the Export Data Option for a visual still requires the BUILD permissions assigned to the user on the datset to work. If I have this permission granted and the tenant setting "Use datasets across Workspaces" enabled then the user could simply start a new Power BI report in Power BI Desktop source this dataset and see the underlying data.
Why does the report allow us to specify the export of summery OR export of underlying data if this new "Use datasets across workspaces" feature is just going to circumvent that by allowing users to pull the datasets into Power BI desktop regardless.
So what you are saying is that in the NEW Workspace Experience what I have experienced with the Security is the expected result. However, if I were to create a classic workspace this would be mitigated by working as designed prior to this update?
I have same concern and challenge with the OP, that the current setup of Build Permission is too extensive and need to find a middle ground in terms of data access permission. What I (and I assume others) need is a middle configuration where users cannot build new reports on the dataset, cannot use Analyze-in-Excel function (same as building new reports), but can still use Export to Excel based on pre-configuered visuals. This way the developer can control what data granularity is available to the consumers.
This ties in to existing requests to disable Analyze-in-Excel feature specifically, and now expands into the broader scenario of Build Permission and shared datasets.
Who signed off on having build permissions as a requirement for exporting data? Now in order for someone to have a basic functionality that has been there since launch (exporting) we only need to grant them access to the entire dataset. That defeats the entire point of sharing a report and not a dataset. Well done MS.