I have more than 1000 workspaces in my powerbi tenant. Is there a REST API I can call which will give me who had created these workspaces. I can reach out to those owners and ask them to delete the ones that are not required?
I do not want admins. I can get those details. A workspace can have more than one admin. It would help if I can determine who are the original creators of those workspaces.
Related
I have Power BI Embedded capacity and currently use it to embed reports from my power bi service into a web based portal.
A customer has asked if I can connect to their workspaces from my tenant and embed their reports.
Is it possible to do this? What would the customer need to do on their end to allow me to access the workspaces?
Embedding can be made with user credentials (user name and password) from their tenant (usually used with embed for your organization, a.k.a. user owns data), or with service principal (application ID and secret) from their tenant (usually used with embed for your customers, a.k.a. app owns data). So they must give you their tenant ID (needed for the embedding). Then, depending on how you embed the Power BI elements, proper credentials.
Also, to make a note, that you can't assign their workspaces to your Power BI Embedded capacity, so probably they will need to get a dedicated capacity for their tenant too.
The scope of the project is to provide permissions to every single guest user that clicks on the link (link is from powerbi service). From what I've experienced this can only be done within the organization from the app perspective.
What is the best practice to provide guest users/everyone access to the powerbi application without having to approve users?
I tried changing of the app permissions to everyone in the org, and turning on the setting allowing azure active Directory guest users to access Power BI.
Having access to Power BI doesn't grant them access to any workspaces or apps. For that you need a security group, eg an AAD Dynamic Group.
I have found api for adding user to workspace(group) as well as Add Datasource user. I would like to know, if there is any api available for adding user to dataset?
From the Power Bi Web portal, this is accessed by:
Workspace -> Datasets + Dataflows -> select the three dots menu icon near to the Dataset name and click Manage Permissions. Now, select Direct Access and Add/Remove users here with share/build permissions.
I couldn't find an api for this process. When I tracked the network calls, it is calling the url portion:
redirect.analysis.windows.net/metadata/access
Dataset permissions are part of item permission so you can't override the workspace permissions and can be granted who has at least same level of permission. There are POST APIs where you can add new permission to dataset but not to remove permissions and then PUT APIs where you can update the user's permissions and GET APIs where you can get list of principals that have access to dataset.
Coming to the adding user to dataset I can't find one API for that. But A user's role in workspace implicitly grants the permission on the dataset in the workspace. So if you want to add user then you can use that API you found. And then You can update the permissions for the specific user using these APIs.
Please refer to the link for detailed information.
References:
https://learn.microsoft.com/power-bi/developer/embedded/datasets-permissions#item-permissions
https://learn.microsoft.com/rest/api/power-bi/groups/add-group-user
https://learn.microsoft.com/power-bi/connect-data/service-datasets-permissions
We don't have the option of providing the access through api.
But we can create a Distribution List, by adding users to the list access will be granted accordingly
I have a Power BI workbook that I have created in Desktop. It sources from a SQL Server database. I can access this database with account x. My Azure tenant admin has created a data source for this database in our gateway (within the Power BI service), and I have access to this gateway. The admin supplied account y in connecting to this data source. How does this work when I go to refresh the dataset that this workbook creates when I publish it to the service? That is, when I schedule a refresh on the dataset, will it dial into the SQL Server database using account y provided in the data source definition (virtually ignoring / dropping account x's credentials)?
Yep. That's exactly how it works. The automated refresh will use account 'Y.'
Data sources that have been deployed to some hosted location will almost always disregard the credentials used to create the dataset and instead use credentials that are specifically supplied for the refresh. These 'service' accounts will typically have different rules about password resets, have the lowest appropriate levels of access, and be under the prevue of system administrators rather than report authors. Its a very standard practice. It protects against misuse, error, loss of accounts, and segregates actual user activity from automated behaviors in the logs.
However, it is a little odd to me that your admin 'created the datasource' -- is that correct? Or did the admin just wire up the gateway to the datasource that was deployed when you published?
If you want to use a datasource that is already published, then you need to connect to that datasource from PowerBI desktop. Otherwise you'll be pushing out something new that has nothing to do with the resources that your admin created.
I've connected to an on premises SSAS data source with Power BI Desktop and could successfully publish to the web.
I would like to share the datasets themselves with users outside my organisation so that they can drag/drop the dimensions/measures and create reports and dashboards or reports that they would like to see.
From what I've read it's only possible to share preconfigured dashboards and reports with users outside my organisation. Could someone please tell me if it is possible to share the datasets themselves with users outside my organisation?
If you help the external company setup an On premises data gateway on a VM in your network and help them get it connected to your cube the the external users can publish the Power BI Desktop report to their Power BI tenant. Is there role based security in your cube that would apply to external users? If so you will need to setup an alternate UPN suffix and user accounts for the external users on your domain as described here. Or you could setup user mappings to use CustomData to pass their username in to your cube that way. With CustomData you change your SSAS roles to have only a service account as a member (not real users) then use the CustomData() MDX function in the dynamic security MDX expressions.
The whole scenario is described more fully here. Though I was talking about hosting in Azure with VMs joined to AAD Domain Services, you could so it with alternate UPN suffixes or CustomData in a regular Active Directory domain.
If your model is Tabular then Azure Analysis Services may greatly simplify the matter. If that's of interest let me know.