Third blog in the series on Transform a local into a global Power BI solution. After covering the general differences between small scale and enterprise solutions and last week all about content sharing, it is time to elaborate on a new topic. Previously we talked about how content should be shared, but now we will talk about how people can request access to your content. In this blog I will describe the differences in requesting access and how you can customize some aspects.
Request access in the Power BI Service
When we look at the Power BI ecosystem, we can identify a bunch of different artifacts. For example, dataflows, datasets, reports, dashboards and many derivatives. As I explained in the previous post, the best practice for sharing content is through a Power BI App, which includes a list of users or active directory group containing multiple users. With that, the content becomes available after publishing to those who are granted access. Though, it can happen that one of the users shares the link with other users who do not have access to the content. As a property of the Power BI App, you can allow users to share the app and underlying dataset with share permissions. Though, working with sensitive data this might now be what you are looking for, as you might loose control over who has access.
Request access to reports and dashboards
In case a user tries to open a link to content that he or she does not have access to, they will get a prompt asking if they want to request access to the content owner. This prompt allows the requestor to enter a short message which will be added to the request. Though, this only applies for reports and dashboards shared.
The content owner will receive a mail and can easily approve or reject the request accordingly, as well as review existing access in the manage permissions settings in the Power BI Service. Full documentation on this way of requesting and granting access can be found here: Request or grant access to dashboards or reports – Power BI | Microsoft Docs
Request access to Power BI App
In order to request access to a published Power BI App, it works almost identical to what is described above for reports and dashboards. The same pop-up window will appear where a message can be added attached to the request. Though, there is one difference. The open requests for Power BI Apps will appear on a different location, which is reasonably the App settings.
As an owner of the Power BI App, you will still receive the mail with the request. But in the Power BI Service you have to click the “update app” button to discover pending requests in the permissions tab. App permissions are not managed through the manage permissions menu of each workspace artifact.
Request build permissions to datasets
So far, I explained how you can request access to end products, being reports, dashboards and apps. But datasets have not yet been discussed. Requesting access to a dataset in specific can be beneficial when you want to allow your users to build new reports on top of your dataset. You can grant these permissions in different locations in the Power BI Service.
- Manage Permissions for datasets in the Power BI Service, and explicitly grant Build permissions for users to a dataset.
- Allow users to share the Power BI App and app’s underlying dataset using the share permission while publishing a Power BI App.
- Explicitly request build permissions from the Power BI datasets hub, only applicable for discoverable datasets. (Another episode in this blog series will deep dive in discoverability of datasets)
Requesting build permissions will result in a similar window where a message can be added to send to the dataset owner. By approving the request, the user will be added in the Manage Permissions as a named user with appropriate permissions. Though, in case your permissions are managed through Identity Management tooling or active directory groups, you might want to follow a slightly different process to grant build permissions.
Customize request build permissions for datasets
Recently, Microsoft introduced a new option to customize the request access dialog for datasets. A useful feature in case you want to follow a different process than sending out the default mail to the dataset owner. As a workspace Admin, Member or contributor, you can configure the specific request access options in the dataset settings.
The user requesting access will get specific message as configured when they want to request build permissions. This feature will help users to navigate to your identity access management tool and request access following the organizational processes. With that, you will get and keep a single place to manage all permissions through Active Directory groups for example, rather than based on named users.
How does this relate to local and global solutions?
So far, nice features in Power BI to request access to content or even customize the request. But how does this relate to growing a local solution into a global enterprise solution? Typically in larger organizations, the identity access management tooling is used to manage permissions across different applications and systems in the organization. Expensive tools and processes like this are getting less priority in smaller organizations. Knowing that, it is more likely for larger organizations to manage permissions to your Power BI content through Active Directory groups, instead of granting permissions to named users.
Also, in large enterprise organizations, employees might switch roles over time within the same organization. As a result, their access to specific content might need to be restricted or extended. When permissions are managed through identity access management tooling, it is very common that this system is connected with HR systems. As soon as an employee switches position, the employee will be granted access to related roles and removed from roles related to his prior assignment.
The ability within Power BI to manage access through active directory groups helps to connect Power BI to certain identity access management tools. Though, with the default request access feature, there is a risk that simply approving access results in adding named users to the permissions instead of managing them following organizational processes and tools. Changing the request access message in your dataset will help users to request access in the right tool and following the process designed for it.
Though, today (July 2021) the custom request access messages are only possible with build permissions in datasets. I truly believe this is great enhancement that should be available for any type of sharing, being direct share, apps etc.