Power BI Workspace Permissions and Roles

By:   |   Comments (2)   |   Related: > Power BI


What are the Power BI workspace permissions and roles and how are they used?


Power BI includes a complex security infrastructure that encompasses data level detail such as that used for Row Level Security (see these tips on Row Level Security in Power BI: 1) Power BI Table Based Row Level Security and 2) Power BI Row Level Security.

Row level security is maintained at the dataset level. Furthermore, APP permissions grant report consumers that ability to access a Power BI APP. In between these levels are the various workspace report level permissions which maintain various access paths to the workspace itself. However, these permissions are often not seen directly as many end users interact with a report via the APP; other users will connect directly to the report in the workspace.

Let us get started with seeing some examples of how workspace permissions work. However, before we get into the examples, you need to be sure to download the latest version of Power BI desktop. Additionally, we will be using the WideWorldImportersDW database as a basis for our data sources; this database can be downloaded from GitHub. If you need a refresher on bringing data into Power BI please see: Querying SQL Server Data with Power BI Desktop.

One initial caveat that should be noted is that the items we discuss are related to the "new" workspace experience that was implemented in early 2020. Be sure you have upgraded to the latest version of the Power BI service (which should happen automatically). Also, as we develop our methods for granting access and setting up permissions be sure to remember we are establishing a way to collaborate with our report and dashboard consumers.

Create New Workspace on Power BI Service

We will start with creating a new workspace on the Power BI Service.

New Work Space

Next, the workspace is named and then saved.

Save Workspace New

You will notice that during the workspace creation, no permissions are shown nor are any options really available except a default image and description along with a few advanced options, one of which is to fill in a workspace contact list. The list is used as a notification method if issues arise with the workspace.

Advanced settings

Power BI Workspace Access

Now that the workspace is created, we can now review the permissions used in the workspace. You will need to select the desired workspace, then the ellipse, and finally Workspace Access.

Workspace Access

Alternately, the Access pane can be opened by selecting the workspace and then clicking the Access button.

Workspace Access 2

Initially, the content administrator / workspace creator is the only user that has a permission of Admin. However, others can be added.

Initial Permissions

Power BI Roles

As shown below, you can add users or groups (Active Directory or Distribution Lists) to the workspace, but simply starting to type the name of the user or group; Power BI will use Intellisense. In my example, I am adding the user named "test"; next, the role must be selected. Four roles are available:

  • Viewer - This role provides read only access to workspace items. Read access does provide report / dashboard consumers the ability to not only view, but also interact with visuals. Interaction does not mean changing a visual. Also note that users in this view do not require a Pro License to view reports if the workspace is in Premium mode. Without Premium content a Pro License is required. (see this tip for some details on license details (Power BI: What I wish I knew when I started?).
  • Contributor - This role can access and interact with reports and dashboards. Additionally, this role can create, edit, copy, and delete items in a workspace, publish reports, schedule refreshes, and modify gateways.
  • Member - This role can access and interact with reports and dashboards. Additionally, this role can create, edit, copy, and delete items in a workspace, publish reports, schedule refreshes, and modify gateways. Finally, members of this role can also feature dashboards on the service, share items, allow others to reshare items, publish or republish and APP. This role is also able to add other users to the viewer or contributor role.
  • Admin - This role can do all the functions above plus add and remove all users including other Admins.

A few other notes about the viewer role (and by default all the other roles inherit these features) include: 1) a user still can export the report to PDF, Power Point or print the report page 2) even though row level security is set at the dataset level, it still applies to users in the viewer role (even though they are unable to see the dataset). In addition to the above permissions, you would also require Build permissions on the Dataset in order to create a report from a workspace dataset or copy a report. We will discuss the Build permission late in this tip.

power bi

After entering the user email address or name, selecting the role, then clicking on Add, Power BI creates the user’s access attached to the appropriate role. In the below example the Test user now has viewer access to the workspace.

Add role

Clicking on ellipse next to the user allows for either the removal of a user or the ability to change the role for that user.

Change User

Power BI Permissions for Objects in the Workspace

Up to this point we focused on the permissions at the Workspace; now we will drop one level down and discuss permissions for the objects in the Workspace, including the new Build permission mentioned previously. Specifically, these permissions are set on the datasets. Specifically, two additional permissions exist at the dataset level 1) Reshare which allows for the user to share (or reshare) the dataset with other Power BI users and 2) Build which allows users to not only view the dataset, but also build their own reports based on that dataset. Build permissions are automatically granted to users within the Contributor, Member, or Admin roles set at the workspace level.

Alternately, Build and Reshare permissions can be assigned to individual users. To set these permissions, navigate to the desired workspace and then to the dataset list. Next, click the ellipse next to the workspace and select Manage permissions.

Manage Permissions

As shown on the Manage Permissions screen below, you will notice the users which were previously added to the workspace permissions show in the dataset list. Each user assigned roles are shown in the permissions column.

Dataset Manage Permissions

To add additional permissions for the user, select the ellipse to the right of the permissions column. Either Reshare or Build can be added to the user’s access permission.

Add Reshare / Build

Similarly, once added, either permission can be removed.

Remove permissions.

If a user was not added to the workspace, then that user can be added manually via the Add User button.

Add User.

The username or email address can be filled using Intellisense and then selected. Although not blatantly clear, the two check boxes provide the user with the Reshare and Build permissions, respectively.

Add User Manually.

The user is added to the dataset permissions with Read access along with the selected Reshare or Build permissions. However, this user has not been granted permissions at the workspace level.

power bi

In this tip, we covered the basics of workspace permissions including specifics of what each workspace permission grants at the role level. Additionally, we have dived into the process of setting the Reshare and Build permissions at the dataset level.

Next Steps

Learn more about Power BI in this 3 hour training course.

Click here to start the Power BI course

sql server categories

sql server webinars

subscribe to mssqltips

sql server tutorials

sql server white papers

next tip

About the author
MSSQLTips author Scott Murray Scott Murray has a passion for crafting BI Solutions with SharePoint, SSAS, OLAP and SSRS.

This author pledges the content of this article is based on professional experience and not AI generated.

View all my tips

Comments For This Article

Monday, October 9, 2023 - 2:05:09 AM - Patj Back To Top (91635)
It is preferable to not use viewer access but to include the reports in the workspace app and give consumers access to the app only.
Which reports they see can then be tailored using the app's audiences. It keeps all the workspace report permissions in one place and is far simpler to administer, especially if you create a user group for each audience instead of adding individual names.

Wednesday, April 14, 2021 - 9:22:42 AM - Frantz Leonce Back To Top (88535)
Hi! Great article! One detail when talking about the Member role.. "This role is also able to add other users to the viewer or contributor role."
The member role can also add other members as stated on the Microsoft page: "Add members or others with lower permissions."

get free sql tips
agree to terms