What is collaboration and sharing
How to collaborate and share in Power BI
Best practices for collaboration and sharing
One of the main advantages of reporting and analysis is the ability to share and collaborate on the results. When reports, analysis, or data are shared, it increases the value of it as many will benefit from the work of few. There is a risk though when sharing and collaborating on reports, analysis, and data. If not done correctly the data can get into the wrong hands or get exposed to those who shouldn’t see it. This is especially important if you have personally identifiable information (PII). This chapter will discuss the ways to collaborate and share in Power BI as well as best practices from a governance perspective. We will also talk about monitoring and reaction if breaches occur.
What is collaborating and sharing?
Collaborating and sharing can mean many things depending on the situation and context. Collaborating and sharing in the context of Power BI is the act of interacting with others on Power BI artifacts. This interaction can be sharing Power BI objects with others, commenting and collaborating about Power BI reports, or building Power BI objects in a collaboration with others. These artifacts include dashboards, reports, Excel workbooks, datasets, dataflows, and machine learning models. The interaction can be two-way, such as discussions on a report in the Power BI website or it can be one-way such as sharing a dashboard with someone. You can collaborate as an end user, meaning you don’t have permission to change the artifact, or you can collaborate as a contributor where you have permission to change artifacts. Usually collaboration and sharing means that people will get access to data and analysis someone else has created. From a governance perspective, sharing data, analysis, and insights is often a question of authorized access. Discussion on collaboration and sharing is therefore tightly connected to discussion on security (discussed in Chapter 13) and laws and policies (discussed in Chapter 4). Another governance angle on collaboration and sharing is that the receiver of data, analysis, and insights needs to know the context and constraints of them to be able to interpret the results. This is where training comes in as a factor in collaboration and sharing from a governance perspective.
Sharing
Sharing is the act of giving someone access to a dashboard, report, or dataset. This can be a person or a group of people, either inside or outside of your organization (see Chapter 13 on security). Sharing can grant permissions to view, or it can be to alter or build upon. It’s not always obvious what type of access you are giving, so it’s very important to have a clear strategy on how sharing should be done as a part of your governance work. Power BI offers different ways to share artifacts. In this section we will discuss the different ways of sharing and what their advantages and disadvantages are from a governance standpoint.
Types of sharing
Sharing the BI Desktop (PBIX) file (not for dashboards)
Direct sharing
Granting access to workspace
Granting access to app
Each of these methods has its pros and cons from a usability perspective, but here we will focus on the pros and cons from a governance perspective.
Sharing PBIX file
One of the easiest ways to share a Power BI dataset or report is to share the PBIX file. When you author datasets and reports in Power BI Desktop, it’s stored as a file in the PBIX file format. This file can be shared with other people, either by giving them access to the file storage or sending them the file. While this is easy and doesn’t require a Power BI license (Power BI Desktop is a free product as described in Chapter 2), it does have some governance issues. If you use import mode when getting data into Power BI Desktop and you share a PBIX file with someone, they get full access to all the data stored in the file. They also have full access to the data model and can make any changes to the file, though if they do not have access to the data source they cannot edit or refresh the queries. They can either overwrite your file if they have write access to the file storage or save their own copy if not. Having access to the data and being able to change the report can be a potential security risk and risks the integrity of the analysis. Another potential security issue is if you have applied row-level security (see Chapter 13) as it is only enabled in the Power BI Service, since Power BI Desktop is a development environment with full access and control of the file for authors.
It is therefore not recommended to share PBIX files with someone unless you need them to collaborate on the creation or maintenance of the report or dataset. Safely storing PBIX files and not sending them in email or other file exchange programs is recommended to minimize risk of exposing data to unauthorized users.
Direct sharing
A dashboard, report, and dataset can be shared directly with people, distribution groups, and security groups. For dashboards and reports there are share buttons in many places, but for datasets you need to go into Manage permissions to find the sharing options.
Allow users to share your dashboard/report.
Allow recipients to build new content using the underlying datasets.
Send an email notification to recipients.
All these options are pre-checked checkboxes. It’s very important to think carefully before using direct sharing and if you do which of the preceding options you want to use. The first thing you need to think about is if direct sharing is the right way to accomplish what you are trying to do. When you do direct sharing, it can be hard to keep track on which dashboards or reports have been shared and with whom they have been shared. The next thing to consider is the sharing options. Do you want those who you share with to have the ability to share with others? You can quickly loose track and control of who the dashboards or reports are shared with. The only way to find out is to open the share dialog and look at the Access tab or access the Power BI Activity log. The next thing to consider is if the users you are sharing with should be allowed to create new content using the underlying dataset. If you keep that checked, users will have full access to the dataset unless you have row-level security, in which case they only see what they are allowed to see. Nevertheless, they will potentially have access to bigger parts of the dataset than intended.
Allow recipients to reshare the artifact.
Allow recipients to build new content from the underlying datasets.
Direct sharing
Directly sharing a Power BI report or dashboard is a method that should only be used in certain circumstances. It’s not recommended unless the receivers are few or if you need to share one or few reports/dashboards out of a workspace with many reports/dashboards. Direct sharing is not recommended from My Workspace as the user who owns that workspace is the only person who can access it. If that person leaves the company or is for some reason not able to log in, there is no way to maintain dashboards, reports, and datasets in the workspace. The main drawbacks of direct sharing are that it is difficult to keep track of who has access to them and which reports/dashboards have been shared or not. Directly sharing datasets is only recommended if you need to allow users to create new reports and dashboards from an existing datasets but you cannot for some reason give the user access to the workspace the dataset is in.
Giving access to a workspace
Viewer
Contributor
Member
Admin
Types of access in a workspace
As Figure 3-2 shows, the viewer permission allows the users to view and interact with artifacts within the workspace as well as read data stored in a dataflow in the workspace. The contributor permission allows the same as viewer plus create, edit, and delete all artifacts in the workspace except workspace apps. The member permission allows the same as contributor plus the ability to give access to others (except admin access) and publish and update workspace apps. The admin permission gives you full control over all artifacts in the workspace as well as the workspace itself. The main takeaway here is that all permission levels above viewer allow the user to change and delete most objects in the workspace.
Workspace sharing
Giving access to workspaces for sharing artifacts is best suited for users that need to contribute to the content. Although you can use viewer permission for consumers, it’s recommended to use apps for that as it simplifies maintenance of access.
Apps
- Allow all users to connect to the app’s underlying datasets using Build permission.
Allow users to make a copy of the reports in this app.
Allow users to share the app and the app’s underlying datasets using the share permission.
App sharing
Apps are the way Microsoft recommends sharing dashboards, reports, and datasets to users in Power BI. Apps allow you to share “packaged” content including multiple dashboards, reports, and datasets with custom navigation, custom website links, and embedded video. The users will always only get view access to the content, although you can give them permission to build their own content using the datasets and reports in the app. Another functionality of apps is that they contain a cached version of the report so that the report in the workspace can be modified without affecting the cached report. Note that the dataset will always be updated in the app if you update it in the workspace.
How should I share content?
When answering the question “how should I share content?” the answer is often, it depends. For larger audience using apps is the best way as it gives you one place per workspace where sharing is done, and you can add custom navigation and support URLs. For smaller audiences or when you need to share part of a workspace to someone, direct sharing might be justifiable, but it should be used sparingly due to the lack of insight into what is shared to whom. Giving access to workspaces to share content is best used for contributors rather than consumers, although the viewer permission allows you to consume content without the option to change.
To simplify your governance strategy, it might be a good idea to stick to one option and say that all content is shared to consumers via apps. This will remove any doubt on what the correct way to share content is, which can be very useful if you have many content developers with different amount of experience. In Figure 3-2 you see how a typical publish and sharing process might look like. Notice that consumers only have access to the app.
You can embed Power BI reports or apps via secure embedding or via specific SharePoint embedding. We believe that kind of sharing will follow the exact same principles as sharing through the Power BI Service. The only difference is that the content is accessed from a different place.
Collaboration
Collaboration differs from sharing in that it’s usually two-way in nature. Two or more people work together to develop content. In the context of Power BI, this task can be analysis of data in a ready-made report, it can be building datasets, report, reports or dashboards together, or it can be management of Power BI tenants and content. In this section we will focus on analysis and content creation. Management of Power BI tenants and content is discussed in Part 2 of this book.
Types of collaboration
In general terms there are two types of collaboration in Power BI. Collaboration as an end user and collaboration as a contributor. End users have view-only permissions and most often collaborate on reports made by others. Contributors most often have write permissions and collaborate on by creating or modifying content. We will discuss each type separately in the coming sections.
End-user collaboration
End-user collaboration is when two or more people work together to create insights from existing reports. In Power BI that is done via the Comments feature. Comments allow users to comment on a report or dashboard and the context is kept. The user can also tag other people within the organization in the comment. This way users can collaborate on getting insights. Power BI reports can also be embedded into other software that allows for direct collaboration. It’s not in the scope of this book to discuss all those options.
Contributor collaboration
Contributors can collaborate on creation and modification of Power BI content by sharing artifacts. As discussed in the sharing section of this chapter, there are several ways to share artifacts. Generally speaking, developers which need to collaborate on a set of Power BI artifacts will place them in a workspace and make sure all the relevant developers have at least member access to it. If developers have the appropriate permissions, they can create or modify artifacts. For contributors such as testers that don’t need write access, you would add them as viewers in the relevant workspace. It’s worth noting that there is no true multi-developer capability in Power BI that allows multiple people to develop the same artifact at the same time, as you often can in software development. It’s possible to work on the dataset at the same time as the report is developed if the report is developed on top of a shared Power BI dataset, but otherwise it’s one developer at a time per artifact.
Promoted dataset
Certified dataset
The meaning of promoted and certified datasets is different from organization to organization. It does not come with any functionality except it moves the dataset higher in the lists of datasets in the workspace. Each organization needs to describe when to use which level of certification. By default, every dataset owner can promote their dataset. To give users the ability to apply the certified label to datasets, you need to add them to a group that has the appropriate permissions. It is recommended to have a limited number of people who can add the certify label and be very consistent in what it means for the dataset. Many organizations only certify datasets that are created and maintained by a central business intelligence team and have gone through rigorous testing to verify that the data is correct, but there is nothing to prevent your organization to create your own process for certified datasets.
Collaboration strategy
Sharing options
Preferred sharing method
Reference to security process
Reference to naming standards
Reference to training material
Sharing options
This section of your process would describe the different ways you can share content in Power BI. It would list the pros and cons of each method as well as the risks it presents. The section would also describe how well each sharing method aligns to the organization’s governance strategy.
Preferred sharing method
This section of your process would describe what the preferred sharing method is. There might be more than one preferred method or there might be only one. If there is more than one method, you should describe when each of them should be used. Example of when only one method is preferred could be
All sharing of dashboards, reports, and datasets to end users should happen via apps.
Example of multiple methods could be
As a general rule, all sharing of dashboards, reports, and datasets to end users should happen via apps.
Exception: When sharing a single report out of many in a workspace, you can use direct sharing. This prevents you from having to create a new workspace and putting in it a duplicate copy of the report. If you directly share the report, you are responsible for making sure only appropriate users have access.
Reference to security process
A collaboration process is tightly connected to the security process. A lot of information will be duplicated between them as both describe how to securely handle Power BI artifacts. The collaboration process is rooted in governance, so it does not necessarily detail the security aspects of sharing and collaborating. In your collaboration process it’s important to link to the security process to easily enable the readers to get to it and get more in-depth information on the security aspect of sharing and collaborating if they need it.
Reference to naming standards
Although a lot of naming is done during development, it’s possible to name apps when you share them with users. Having consistent naming of objects in Power BI will help a great deal with administration and governance. There might be a specific naming standard for Power BI, or there might be a more general naming standard in the organization that is used for Power BI. No matter which, you should link to it from your collaboration process so that your users have easy access to it.
Reference to training material
Even though your collaboration process describes the methods available and which method to use in which situation, it will most likely not describe how to implement them. If you have training material or run regular training sessions, you should link to the training material and/or signup to training sessions. Lots of governance issues come from users who implement things in the wrong way, so clear training material and well-trained developers will go a long way in preventing governance risks.
Monitoring collaboration compliance
Monitoring collaboration compliance is not straightforward. Most of it will be manual. In Power BI there is no way to automatically extract who has access to an artifact. Through the activity log you extract who has accessed the artifact but not who has access. Even though you can extract who has accessed the artifact, it does not tell you if they should have access. If you have information about who should have access to an artifact stored somewhere, it can be compared to those who have accessed the same artifact. If you don’t have it stored anywhere (like most organizations), you will need to do manual audits to verify if there is a breach. For more information on monitoring, please refer to Chapter 16.
Preventive measures
The right training of Power BI developers and consumers can help you a great deal as people who know how to work with Power BI and know the governance strategy well are less likely to cause unintentional breaches.
Another way to prevent breaches is to have tight access control in Power BI development. Make sure there is a separation between development, test, and production workspaces (see Chapter 5) with only few people having access to the production workspace. It’s a tight balance between fast development time and tight governance control so you have to make sure you are not impeding developers too much. If you have many business developers, you might find that too tight of control will feel like you are hindering their productivity. If you have many business intelligence developers, they will most often be used to tight environment control and will not be as challenged by it.
Summary
Sharing and collaboration has many forms. In Power BI the main ways of sharing content are via apps, workspaces, or direct sharing. The recommended way is via apps. There are security risks when sharing Power BI content as, if not done correctly, it can leave data in the hands of unauthorized people.
Collaboration in Power BI is most often around content development, but it’s also possible to comment on reports and dashboards. Using multiple environments (workspaces) can help keep control in collaborative development.
Call to action
Sharing is best done via apps.
When sharing apps, you need to be careful with the extra options on build permission and resharing that are pre-checked.
Collaborating on Power BI development is best done with multiple environments (workspaces).
It’s possible to comment on Power BI reports and dashboards.