Problem
What are the Power BI workspace permissions and roles and how are they used?
Solution
Power BI includes a complex security infrastructure that encompasses data level detail such as that used for Row Level Security (see these tips on Row Level Security in Power BI: 1) Power BI Table Based Row Level Security and 2) Power BI Row Level Security.
Row level security is maintained at the dataset level. Furthermore, APP permissions grant report consumers that ability to access a Power BI APP. In between these levels are the various workspace report level permissions which maintain various access paths to the workspace itself. However, these permissions are often not seen directly as many end users interact with a report via the APP; other users will connect directly to the report in the workspace.
Let us get started with seeing some examples of how workspace permissions work. However, before we get into the examples, you need to be sure to download the latest version of Power BI desktop. Additionally, we will be using the WideWorldImportersDW database as a basis for our data sources; this database can be downloaded from GitHub. If you need a refresher on bringing data into Power BI please see: Querying SQL Server Data with Power BI Desktop.
One initial caveat that should be noted is that the items we discuss are related to the "new" workspace experience that was implemented in early 2020. Be sure you have upgraded to the latest version of the Power BI service (which should happen automatically). Also, as we develop our methods for granting access and setting up permissions be sure to remember we are establishing a way to collaborate with our report and dashboard consumers.
Create New Workspace on Power BI Service
We will start with creating a new workspace on the Power BI Service.

Next, the workspace is named and then saved.

You will notice that during the workspace creation, no permissions are shown nor are any options really available except a default image and description along with a few advanced options, one of which is to fill in a workspace contact list. The list is used as a notification method if issues arise with the workspace.

Power BI Workspace Access
Now that the workspace is created, we can now review the permissions used in the workspace. You will need to select the desired workspace, then the ellipse, and finally Workspace Access.

Alternately, the Access pane can be opened by selecting the workspace and then clicking the Access button.

Initially, the content administrator / workspace creator is the only user that has a permission of Admin. However, others can be added.

Power BI Roles
As shown below, you can add users or groups (Active Directory or Distribution Lists) to the workspace, but simply starting to type the name of the user or group; Power BI will use Intellisense. In my example, I am adding the user named "test"; next, the role must be selected. Four roles are available:
- Viewer – This role provides read only access to workspace items. Read access does provide report / dashboard consumers the ability to not only view, but also interact with visuals. Interaction does not mean changing a visual. Also note that users in this view do not require a Pro License to view reports if the workspace is in Premium mode. Without Premium content a Pro License is required. (see this tip for some details on license details (Power BI: What I wish I knew when I started?).
- Contributor – This role can access and interact with reports and dashboards. Additionally, this role can create, edit, copy, and delete items in a workspace, publish reports, schedule refreshes, and modify gateways.
- Member – This role can access and interact with reports and dashboards. Additionally, this role can create, edit, copy, and delete items in a workspace, publish reports, schedule refreshes, and modify gateways. Finally, members of this role can also feature dashboards on the service, share items, allow others to reshare items, publish or republish and APP. This role is also able to add other users to the viewer or contributor role.
- Admin – This role can do all the functions above plus add and remove all users including other Admins.
A few other notes about the viewer role (and by default all the other roles inherit these features) include: 1) a user still can export the report to PDF, Power Point or print the report page 2) even though row level security is set at the dataset level, it still applies to users in the viewer role (even though they are unable to see the dataset). In addition to the above permissions, you would also require Build permissions on the Dataset in order to create a report from a workspace dataset or copy a report. We will discuss the Build permission late in this tip.

After entering the user email address or name, selecting the role, then clicking on Add, Power BI creates the user’s access attached to the appropriate role. In the below example the Test user now has viewer access to the workspace.

Clicking on ellipse next to the user allows for either the removal of a user or the ability to change the role for that user.

Power BI Permissions for Objects in the Workspace
Up to this point we focused on the permissions at the Workspace; now we will drop one level down and discuss permissions for the objects in the Workspace, including the new Build permission mentioned previously. Specifically, these permissions are set on the datasets. Specifically, two additional permissions exist at the dataset level 1) Reshare which allows for the user to share (or reshare) the dataset with other Power BI users and 2) Build which allows users to not only view the dataset, but also build their own reports based on that dataset. Build permissions are automatically granted to users within the Contributor, Member, or Admin roles set at the workspace level.
Alternately, Build and Reshare permissions can be assigned to individual users. To set these permissions, navigate to the desired workspace and then to the dataset list. Next, click the ellipse next to the workspace and select Manage permissions.

As shown on the Manage Permissions screen below, you will notice the users which were previously added to the workspace permissions show in the dataset list. Each user assigned roles are shown in the permissions column.

To add additional permissions for the user, select the ellipse to the right of the permissions column. Either Reshare or Build can be added to the user’s access permission.

Similarly, once added, either permission can be removed.

If a user was not added to the workspace, then that user can be added manually via the Add User button.

The username or email address can be filled using Intellisense and then selected. Although not blatantly clear, the two check boxes provide the user with the Reshare and Build permissions, respectively.

The user is added to the dataset permissions with Read access along with the selected Reshare or Build permissions. However, this user has not been granted permissions at the workspace level.

In this tip, we covered the basics of workspace permissions including specifics of what each workspace permission grants at the role level. Additionally, we have dived into the process of setting the Reshare and Build permissions at the dataset level.
Next Steps
- All Power BI Tips

I have a passion for crafting Business Intelligence Solutions for my user groups. My experience includes almost 15 years of SQL Server involvement with the last 12 years focused specifically on Business Intelligence, SharePoint, OLAP, SSRS, and Decision Support solutions. Currently, I am a Business Intelligence Architect in the healthcare industry, and I also teach database and analytics classes for Kennesaw State University, Southern New Hampshire University, and Reinhardt University. My education includes an MBA and an undergraduate in Accounting (yes I am a reformed accountant!), both from Kennesaw State University. I enjoy every day by trying to grow my faith and spend precious time with my family. I have been happily married to my wife of over 20 years, and we have two teenagers one who we home school with the help of a University Model School, Cornerstone Prep in Acworth, GA (cornerstoneprep.org). Our other child is a Construction Management major at KSU’s Southern Poly / Marietta campus. We are a soccer and Cross Country (XC) family who play, coach, and referee soccer or run for fun most every day. For several years, our family has volunteered (and played with the dogs and cats) at Etowah Valley Humane Society in Cartersville, GA.
- MSSQLTips Awards: Champion (100+tips) – 2016 | Author of the Year – 2015 | Author Contender – 2014, 2016-2021



Contributors cannot schedule data refreshes. This capability is reserved for Members and Admins.
It is preferable to not use viewer access but to include the reports in the workspace app and give consumers access to the app only.
Which reports they see can then be tailored using the app’s audiences. It keeps all the workspace report permissions in one place and is far simpler to administer, especially if you create a user group for each audience instead of adding individual names.
Hi! Great article! One detail when talking about the Member role.. “This role is also able to add other users to the viewer or contributor role.”
The member role can also add other members as stated on the Microsoft page: “Add members or others with lower permissions.”
Cheers