Problem
As organizations using Power BI as their business intelligence platform grow, the number of reports, datasets, and other Power BI items can quickly multiply. This can lead to inefficiencies, cluttered workspaces, and potential security risks for the organizations. Thus, businesses must ensure a secure and organized Power BI environment. What are best practices that should be followed to achieve this?
This tip explains these Power BI best practices while referencing workspace management, archiving, and cleaning.
Solution
Before delving into workspace management implementation, it is helpful to understand what Power BI workspaces are, including types of workspaces and workspace roles and permissions.
What are Power BI Workspaces?
Simply, Power BI workspaces are a collaborative environment where teams using Power BI can create, share, and manage Power BI items like reports, dashboards, semantic models, paginated reports, and other Power BI workspace items. It is important to note that a Power BI workspace can contain folders, Excel workbooks, Notebooks, etc.
What are Power BI Workspace Roles and Permissions?
Proper understanding of Power BI workspace roles and permissions is essential for efficient Power BI workspace management. Four user roles can be assigned to items in a Power BI workspace: Admin, Member, Contributor, and Viewer.
Admin Role
All Admins in a Power BI workspace have full control permissions, i.e., they can do anything, including adding and removing users, deleting Power BI contents, and modifying settings. Admins can view and edit settings in the Admin Portal.
Note: You can have a Workspace Admin and a Tenant Admin. Tenant Admins have an overarching permission over all other admins. Workspace Admins have Admin permission on the workspace; it has been assigned the role.
Member Role
Member roles are assigned to users who need permissions to create, edit, and delete content in the Power BI workspace environment.
Note: An individual with a member permission can do nearly the same things an Admin can in a workspace with a few exceptions. So, be careful how you assign this role to users.
Contributor Role
Any user with a Contributor role can create and edit contents in a Power BI workspace. However, they cannot delete. Also, they can update an App in a Power BI workspace, but only if the Workspace Admins delegate this permission to them.
In my experience, most Power BI developers or analysts are usually assigned the contributor role, where I have observed good workspace management practices. A separate team (e.g., the IT team) or the Power BI Admins usually deal with the admin side of things. This setup ensures a centralized management of contents in the Power BI tenant.
Viewer Role
A user with the Viewer role can only read and interact with Power BI workplace contents. Viewer roles can also create subscriptions and receive subscriptions created to a report by others.
Additionally, they can read data stored in a Dataflow Gen1 in a workspace. Note: Currently, those with Viewer roles cannot read data stored in Dataflows Gen2. Only users with Admin, Member, and Contributor roles currently have access to data stored in Dataflow Gen2.
In general, efficient workspace management requires adherence to proper Role-Based Access Control (RBAC). This ensures that inefficiencies and security risks are effectively managed and good practices are followed.
Different Types of Power BI Workspaces
In Power BI, there are two types of workspaces: the Private workspace (personal workspace), also known as ‘My Workspace,’ and the Organizational workspace, or ‘Shared workspace.’
- My Workspace: A private dedicated space for your personal Power BI contents.
- Full visibility and ownership of what you store in this workspace
- Can share contents in your workspace with others in your organization
- Not ideal for collaboration in an enterprise setting.
- Shared Workspace: The enterprise space where teams collaborate on Power BI contents. It is the recommended workspace for enterprise usage.
To ensure your workspaces are organized, it is recommended to define clear purposes for each workspace (not mandatory). Definitions can be added to the ‘Description’ section when creating the workspace, as seen in the image below.
Practice Efficient Workspace Organization
The way to structure a workspace determines how it will look in a few years’ time. A well-organized workspace prevents clutter and improves productivity. There are several best practice approaches to manage workspaces efficiently.
Standardized Naming Conventions
Adopting a consistent naming approach for your workspaces, reports, and User Groups (AAD Groups) is a good practice. I recommend using the ‘Screaming Snake Case’ or ‘Snake Case’ naming conventions.
Reports can utilize a different convention, such as ‘DEPARTMENT_PROJECT_REPORTNAME’ or ‘Department_Project_Reportname.’ An example would be ‘MARKETING_FORECAST_ANALYSISREPORT’ or ‘HR_Q1_Reporting.’
A naming convention for AAD User Group names to consider is ‘PBI_CompanyAbbreviation_WorkspaceOrReportName_Contributor.’
Creating and maintaining a Naming Convention guide is essential. Share it with users or save it in a centralized location where those who need to know have access. This will ensure that the practice is understood and followed.
Categorize Workspaces
Where possible or applicable, categorize your workspaces. Use a separate workspace for business functions or projects. For instance, you can create a ‘Sales’ workspace for revenue or pipeline analysis-related reports. A ‘Marketing’ workspace can be designated for campaign performance and lead tracking reports. And a ‘Finance’ workspace could house budgeting and cost analysis reports.
Folders can also be leveraged in workspaces to enhance content organization in Power BI. This helps to categorize contents systematically, depending on the needs of the business.
Plan Regular Cleaning and Maintenance of Workspaces
Over time, your workspace becomes overloaded with items that no longer serve the business’s purpose. These items might include redundant or orphaned semantic models (datasets), old or unused reports, or outdated dashboards. Not cleaning regularly may lead to performance issues and clutter in the workspace.
So, how do we manage these redundant or unused workspace items?
Schedule Regular Content Audits
Regularly scheduled content audits are crucial for cleaning up the workspace. Consider documenting this periodic process by defining a necessary time frame before considering removing redundant items.
The ‘Power BI Usage Metrics’ in Power BI service is a great tool to help you identify which items meet the time frame for removal. For example, your policy stipulates that all Power BI reports in your tenant must be removed if they have not been used (refreshed or accessed) in three months. Using the Usage Metrics, you can identify those reports and remove them.
As shown below, the Usage Metrics can be viewed under the ‘Admin monitoring’ workspace in Power BI.
Note: Depending on your organization, stakeholders’ involvement may be best practice in this process. For instance, some reports might meet the removal criteria; however, such reports are only accessed every three months. Thus, discussions with stakeholders may be necessary before items are removed.
Another good practice is to archive items instead of outright deletion, ensuring they can be restored if needed.
Monitor Storage and Performance
Equally important, a few actions can be taken to ensure a good-performing and organized Power BI tenant, including:
- Reducing refresh schedules for rarely accessed reports.
- Identifying and removing duplicate semantic models.
- Checking semantic model sizes regularly.
For example, the ‘Power BI Service storage metrics’ can help identify large semantic models that have not been used for a while. The following steps and images show how to find the ‘Power BI Service storage metrics.’
First, click the gear icon in your workspace.
In the new window, click ‘Monitoring.’
Next, click ‘Eventhouse.’ Wait while it is created.
Once completed, you will see the following screen:
Then, the Eventhouse created will be listed among your Power BI workspace items, as seen in the image below. When you select the ‘Monitoring Eventhouse,’ you can view your workspace Service Storage Metrics.
Setup a Strategy for Archiving
As mentioned earlier, it is best practice to archive instead of deleting. In some cases, it helps to maintain historical records possibly needed for compliance.
Specifically for Power BI reports, it’s ideal to save .pbix files in a centralized location like a SharePoint document library or OneDrive folders. This way, historical versions of reports can be viewed. And since the current version has been saved in the SharePoint or OneDrive folder, there is no need to worry about files being deleted from Power BI workspaces.
Below is an explanation on accessing the historical versions of your .pbix files in a SharePoint document library.
First, select the .pbix file within your SharePoint or OneDrive. Then, find ‘Version history’ at the top pane.
Or right-click on the file and choose ‘Version history.’
If you haven’t saved your .pbix files in SharePoint or OneDrive folders and you need to clean up your Power BI workspace, your archiving strategy might include:
- Identifying candidates for archiving based on your policy as described earlier.
- Export the identified items to the SharePoint or OneDrive location.
Note: Power BI semantic models can also be stored in Azure Blob Storage for long-term retention.
It is also best practice to maintain an ‘Archive Index’ (Audit Log), generally an Excel Spreadsheet or a Power BI dashboard, detailing at a minimum:
- Name of Archived Reports
- Report Owner
- Date of Archival
- Retrieval Location
Adopt a Robust Security and Compliance Plan
One cannot complete Power BI workspace management without including security and compliance. It is the bedrock of ensuring that only people who need access to your workspace/Tenant have access and that they have the appropriate access.
The security and compliance best practices to be put in place in your organization are discussed below.
Regularly Review and Update User Access
First, consider working with the O365/AAD Admins to ensure there is a process for removing ex-employees who were users of the workspace/Tenet. On your side of things, review the workspace regularly to confirm that now inactive users are removed from the workspace access list.
It’s more efficient to ensure all users are granted access to workspaces or reports via AAD/O365 Groups rather than on the username level. Granting access in this manner guarantees that once a user leaves your organization and IT removes the user from the active employees’ list, the user’s access to Power BI will automatically reflect the inactive status. This also helps when Role Level Security (RLS) is implemented in a report, i.e., when users move departments, the change will automatically reflect the change.
Let’s look at an example of how to manage security by leveraging Security Groups and RBAC. You have a workspace named ‘Sample_PBI_Shared_Workspace’, and you need to grant access to 10 users (2 with Member permissions, 2 with Contributor permissions, and 6 with Viewer permissions). A possible design of the RBAC can be seen in the image below:
As illustrated above, assigning permissions to the Security Groups instead of the individual user ensures a tidy approach as well as a more robust user access management within your tenant and organization in general.
Implement Row-Level Security (RLS), Object Level Security (OLS), and Data Classification
As part of best practices in your tenant/workspace management and governance, it is advantageous to apply RLS, OLS, or both to restrict what users can see. I have not discussed in detail how to practically implement these within this article. To learn more, read about RLS and OLS in their respective Microsoft security documentation.
Another option to further improve security, compliance, and governance is to apply Data Classification. Data Classification helps to efficiently handle, properly monitor, and share restricted or sensitive data within your tenant/workspace/organization. Read more about Data Classification in this Microsoft article for Sensitivity labels in Power BI.
Develop a Plan for Training and Documentation
Once the best practices have been planned and implemented, it is essential to broadcast the plan to ensure the business is aware and understands how these practices work. To do so, consider the following:
- Provide regular training to the employees, i.e., monthly or quarterly workshops, on all best practice implementations, particularly those relating to Power BI, in this case.
- Where possible, for each best practice section, provide documentation, including a best practices guide. For instance, consider a best practice guide for Archiving, Naming conventions, etc. These guides are best saved in a centralized location, like SharePoint or OneDrive, where employees can access them easily.
Conclusion
In this article, I outlined useful best practices you can leverage in your business to make certain your Power BI tenant or workspace is effectively managed, cleaned, well-structured, and secure, and included practical examples explaining how to achieve them. However, it is important to note that nothing in this article suggests that all or any of these best practices are rigid or set in stone. You do not need to adopt them all. There are also other examples not mentioned here that could work for your use case. Nevertheless, where you can adopt these practices, it is sure to benefit your organization in the long run.
In closing, it would be good to hear how you have applied these best practices or others to enhance the security, structure, and management of your Power BI tenant or workspace.
Next Steps
- Read more about Workspaces in Power BI.
- Read more about Roles in workspaces in Power BI.
- Read more about using folders in Power BI: Create folders in workspaces.
- See this Microsoft documentation on Row-level security (RLS) with Power BI.
- See this Microsoft documentation on Object-level security (OLS).
- Check out these other Power BI tips.
