Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

info248

Manage report access approval by AD group

Submitted by on ‎11-10-2023 12:41 AM

When users request report access, we receive these nice messages in Teams (and by email) to grant access to a great report.

It is always very tempting to click on "grant access", but this only gives 1 user direct access to 1 report.


This bypasses all the best practices that are out there to “manage security by groups, give access to groups” etc…

Most people will manage audiences of a report by AD group, provide RLS role membership by AD group, all to avoid managing individual accesses.


But then PowerBI asks “do you want to give this person direct access to this report”, which defeats the purpose of having these best practices in place.


My idea for managing this security is when a users requests access to a report or App, a dialog comes up and asks “in which AD group do you want to add this person?”.

PowerBI knows which groups have access to a report or which groups are in audiences of an app. It would then manage the AD group access, and not fiddle with adding individuals to the report permissions.

If there are no groups with access to the report, it can revert to direct access.

Status: New
See more ideas labeled with:
2 Comments (2 New)
Comments
Rick_Hoffman
New Member
‎02-07-2025 02:00 PM

I completely agree that AD groups should control access. In our enterprise, we govern all data access with AD security groups. Individual user grants defeats the best practices and make attestation of who has access to what data very difficult.

fbcideas_migusr
New Member
‎02-25-2025 12:33 AM
Status changed to: New