How to - Setup Application Security Groups

Power BI is managed by the use of Security groups in Azure Active Directory. This article describes the implementation of security for user and account management.

To view existing Azure AD groups in the central tenant click here: https://portal.office.com/AdminPortal/Home#/homepage

https://azure.microsoft.com/en-us/services/active-directory/#:~:text=Azure%20AD%20is%20the%20built,application's%20capabilities%20and%20your%20preferences

General Guidelines

All power bi users are required to sign in using Multi Factor Authentication.
Login will be done using a unique account per user. (user NetId@ucsb.edu)
Access to data will be granted on a Need to Know and Least Privilege data authorization process. Access to any data that is not classified as public (P2+) will be granted via the aforementioned data authorization process.
These policies will apply to Dev, Test, and Production work spaces and apps in the same manner. Users will not be given unauthorized access data in Dev/Test simply for testing, without having prior approval and authorization.

Power BI User Groups

In general, there are five levels of Power BI users

Administrators: Highest permission level. Access to all data and content on Power BI Service. Ability to manage tenant level configurations and settings.
- Roles and Permissions
  - Power BI Service Administrator
  - Audit Logs / Audit Logs View Only
- Power BI Licenses:
  - Power BI Pro
  - MFA
Developers: High permission level. Access to create and administer work spaces and apps, add and delete content, add security.
- Licenses:
  - Power BI Pro
  - MFA
Analysts: Moderate Permission Level. Access to Dev and Test work spaces to collaborate on content creation
- Licenses:
  - Power BI Pro
  - MFA
Viewers: Read only permission to Production Apps. May have access to Test Apps for UAT.
- License
  - Free
  - MFA
Service Accounts: Permission Level Varies, but generally high. Used for administrative tasks such as reading audit activity and configuring data gateways.
- Service accounts are setup for each major IT organization
  - Naming Convention: [department]-[service]-[function]
    - see link: Power BI - Naming Conventions for Report Items

Securing Objects in Power BI

This guide will ensure security is applied correctly inside the Power BI Service.

In general, there are three types of users in the Power BI Service: A Read Only User, A Read/Write Contributor, and an Administrator of the WorkSpace and there are three ares security may be granted.

Level	Role	Definition	Notes
1	Admin	Can change and delete works paces Add Admins Everything a Member Can do	The Admin role is reserved for Development staff within each IT environment who will have ownership of the Work space or App
2	Member	"Reshare" - add new users o the members group or lower permissions Publish and Update Apps Everything a Contributor can do	This role is reserved for unique cases when a non-it has a need to fully "own" a particular work space and app and needs control to deploy directly without IT involvement. Assignment of the member role will be given after a review by IT and Data Steward.
3	Contributor	Add/Edit/Delete content within the work space Everything a Viewer can do	Most "analysts" roles who are actively contributing content to a work space will be given the Contributor Role.
4	Viewer	View content within the work space	Within a work space, the Viewer role should be given sparingly and used in cases in which content needs to be reviewed prior to an App being published. In general, the viewer role is for "Free" power bi licensees who will be only consuming content. The viewer role will be given to a group of individuals directly on the app, and no access to the work space is needed or granted.

https://powerbi.microsoft.com/en-us/blog/enable-your-team-with-new-workspaces-experiences-preview/

Example

Developers: Own a workspace

Power User: Contribute content to a worksapce

Viewer: Read Only

Asset	Dev	Test	Prod
Work Space	Admin - [Organization]_PBI_Developers_{} Contributor [Organization]_PBI_Analysts_{} Optional	Admin - [Organization]_PBI_Developers_{} Contributor [Organization]_PBI_Analysts_{} Optional Viewers [Organization]_PBI_Viewers_{}	Admin - [Organization]_PBI_Developers_{} Contributor [Organization]_PBI_Analysts_{} Optional Viewers [Organization]_PBI_Viewers_{}
App	--No Dev App	Permissions inherit from workspace	Permissions inherit from workspace

Security Group Naming Convention

Top Level Groups
AD Group	Power BI License	Description
ucsb_licensing_employee_nonstudent_default ucsb_licensing_employee_student_default	Free	Default Group, ALL PBI users are in one of these two groups. NOTE: This group is intended only for licensing usage
dataservices_powerbi_administrators	Pro	Power BI Admin. AD Security group "Power BI Administrators"
dataservices_licensing_powerbipro	Pro	AD Group to initiate license assignment for Pro Licenses NOTE: This group is intended only for licensing usage

User Groups

AD Group

Power BI License

Description

[Organization]_Pbi_Developers_{Unit}

Valid Organizations:
- SAIT
- ARIT
- ETS

Pro

Authors content in power BI. Generally a member of an IT Organization.

Examples:

SAIT_Pbi_Developers_Sist_DB
ARIT_Pbi_Developers
ETS_Pbi_Developers_HR

[Organization]_Pbi_Viewers_{SubjectArea}

*See Valid organizations above

Free

Power BI User Groups. Read Only access. Power BI Free License is Granted. Used to give groups of individuals access to one or more apps.

Examples:

SAIT_Pbi_Viewers_GradDiv_Financial
SAIT_Pbi_Viewers_GradDiv_Deans
SAIT_Pbi_Viewers_GradDiv_Operations
SAIT_Pbi_Viewers_Arit_Financial
ARIT_Pbi_Viewers_Occupancy

[Organization]_Pbi_Analysts_{Unit}_{SubjectArea}

*See Valid organizations above

Pro

Power BI Analyst Groups. Individuals in these group may be collaborating on content for a department or subject area. For example, Tedi Tehrani and Victoria Bebko in SIST or Nathan Yee in Financial Aid.

Examples:

SAIT_Pbi_Analysts_SA_Financial
SAIT_Pbi_Analysts_Ofas
SAIT_Pbi_Analysts_GradDiv_Operations
SAIT_Pbi_Analysts_GradDiv