Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
Adit1
New Member

Handling Folder-Level Permissions and Workspace Management

‎07-01-2025 07:18 AM

Hi Community,

We are planning to migrate from Tableau to Power BI and would appreciate some guidance regarding workspace and access level management.

In our current Tableau environment, we have around 1,000 dashboards spread across multiple sites. Each site contains several project folders, and we use folder-level access controls extensively to manage permissions for different teams and departments.

As I understand it, Power BI uses workspaces for content organization and access control, but unlike Tableau, Power BI does not support permission settings within folders inside a workspace. This poses a challenge for us, as replicating our current access model would require creating a very large number of workspaces, potentially 1,000 or more to maintain the same level of access control granularity.

My questions:

What are the best practices for handling this kind of migration, especially with respect to maintaining access controls?

Is there a scalable way to manage permissions in Power BI without creating thousands of workspaces?

Are there any third-party tools, scripts, or strategies that can help manage or automate workspace creation and permission assignments?

How have other organizations with similar Tableau setups handled this transition?

Any insights or shared experiences would be greatly appreciated. Thanks in advance!

Labels:
Message 1 of 10
396 Views
0
1 ACCEPTED SOLUTION
djurecicK2
Super User
Super User
In response to Adit1

‎07-01-2025 09:17 AM

Hi @Adit1 ,

 I'm not sure I can answer all of those questions, but I can try to point you in the right direction to get more information about Fabric and Power BI.

 

There are roles within a workspace that can help you handle many editors and viewers. A best practice is to create groups like an editor and viewer group, assign the appropriate workspace role to each group and then add users to these groups:

https://learn.microsoft.com/en-us/fabric/fundamentals/roles-workspaces

 

If you need more granular permissions within a workspace, you can also assign permissions to specific items within a workspace like so:

https://learn.microsoft.com/en-us/fabric/security/permission-model#item-permissions

 

Here is more information about organizing workspaces. Fabric also has the concept of Domains which group multiple workspaces. 

https://www.youtube.com/watch?v=EP-Sxz_lBC4

https://www.youtube.com/watch?v=H6SmdqFbhE0

 

Here are some best practices around data pipelines:

https://www.youtube.com/watch?v=Zp1xRXJl86E

 

View solution in original post

Message 4 of 10
361 Views
9 REPLIES 9
v-sgandrathi
Community Support
Community Support

‎07-01-2025 10:31 PM

Hi @Adit1,

Happy to see you here in the Microsoft Fabric Community!

To address your questions, please consider the following key points:
Managing Editors and Viewers:

For efficient role management in your organization, it's best to use Azure Active Directory (AAD) Security Groups. Set up groups like BI_Editors_Sales and BI_Viewers_Sales, and assign them roles at the workspace level, use Member for report editors and developers, and Viewer for business users as needed. Avoid assigning individual users directly to workspaces; security groups make onboarding and offboarding much easier. To prevent over-provisioning, keep workspace Admin roles limited to a select group of trusted users.

Organizing Workspaces for Engineering and BI:

Rather than mapping each Tableau folder to an individual Power BI workspace, consider using a functional or domain-driven workspace structure. For instance, you could set up workspaces like Sales_Analytics, HR_Data_Engineering, or Marketing_BI_Pipelines. A clear approach is to have dataflows and datasets managed by Data Engineering teams, while reports and dashboards are created by BI developers. Depending on your team setup, this can be handled in a shared workspace or divided into Sales_DataFoundation and Sales_BIApps. You can also use Microsoft Fabric Domains to group related workspaces by department, function, or project.

Leveraging Apps and Audience Targeting

For business users, it’s best to provide content through Power BI Apps instead of direct workspace access. This approach offers a secure, organized, and scalable viewing experience. By using Audience Targeting, you can customize the content each group receives from the same app. For example, Sales can view sales reports, while Finance sees only financial dashboards, all managed within one app. This method keeps content clear and eliminates the need to duplicate workspaces.

Deployment Pipelines for CI/CD:

Power BI’s Deployment Pipelines are recommended for implementing a Dev–Test–Prod release workflow. They allow you to assign datasets, reports, and dashboards to each stage, and use pipeline rules to automatically update dataset parameters like connection strings or environment variables. Using a clear naming convention (such as Sales_Report_Dev and Sales_Report_Prod) helps keep content and workspaces organized across stages, supporting better governance and reducing deployment risks.

 

Overview of Fabric deployment pipelines - Microsoft Fabric | Microsoft Learn

 

Governance and Automation at Scale

When managing environments with a large number of reports, automation becomes essential. Use the Power BI REST API or PowerShell Cmdlets to automate workspace creation, assign AAD groups to appropriate roles, and regularly audit both access and usage. Effective governance should also cover:

  • Consistent naming conventions such as Dept_Environment_Object
  • Role-Based Access Control (RBAC) using AAD security groups
  • Regularly scheduled access reviews and usage audits

Power BI REST APIs for embedded analytics and automation - Power BI REST API | Microsoft Learn


@djurecicK2 have already provided nearly all the required documents and responses. Thank you for your reply.

Regards,
CST Member.

Message 7 of 10
308 Views
Adit1
New Member
In response to v-sgandrathi

‎07-06-2025 11:18 AM

Hi @v-sgandrathi  and @djurecicK2  Thank you for the comprehensive recommendations. I will move forward with implementing AAD security groups for role management and adopt a functional workspace structure aligned to domains. I will also transition business users to consuming content via Power BI Apps with audience targeting, and begin leveraging deployment pipelines for Dev-Test-Prod workflows. This gives us a solid direction and I appreciate the clear guidance from you and @djurecicK2 

Message 9 of 10
193 Views
0
v-sgandrathi
Community Support
Community Support
In response to Adit1

‎07-07-2025 03:57 AM

Hi @Adit1,

 

Thank you for the update and glad to hear the recommendations were helpful. Moving towards AAD security groups, domain-aligned workspace structure, and Power BI Apps with targeted audiences will definitely streamline access management and improve overall governance.

If it is solved, please mark the helpful reply or share your solution and accept it as solution, it will be helpful for other members of the community who have similar problems as yours to solve it faster.

 

Thank you.

Message 10 of 10
181 Views
0
v-sgandrathi
Community Support
Community Support
In response to v-sgandrathi

‎07-05-2025 06:08 AM

Hi @Adit1,

 

Just wanted to check regarding your question. We haven’t heard back and want to ensure you're not stuck. If you need anything else or have updates to share, we’re here to help!

 

Thank you.

Message 8 of 10
236 Views
0
djurecicK2
Super User
Super User

‎07-01-2025 08:43 AM

Hi @Adit1 ,

 Are most of your users editing the reports, or do they have read-only access? If the majority are read only, you could look into workspace apps or the newer org apps combined with audiences.

 

Workspace apps:

https://learn.microsoft.com/en-us/power-bi/collaborate-share/service-create-distribute-apps

 

Org apps:

https://learn.microsoft.com/en-us/power-bi/consumer/org-app-items/org-app-items

 

More info:

https://medium.com/microsoft-power-bi/first-look-at-the-new-organizational-apps-for-power-bi-fabric-...

 

Message 2 of 10
381 Views
Adit1
New Member
In response to djurecicK2

‎07-01-2025 08:55 AM

Thank you for your input! In our environment, many users will have editing rights mostly our report developers and data engineers while business users will largely have viewer access. We plan to have dataflows, pipelines, and data warehouse datasets etc organized within workspaces as the collaboration containers.

To help us design an effective access model, I would like to get advise on below:

  • How best to manage workspace roles when there’s a mix of many editors and many viewers?

  • Strategies for workspace organization given we will have data engineering and business intelligence assets together.

  • Recommendations on using apps and audience targeting in this mixed access scenario.

  • Also, how can we best handle deployment pipelines for continuous updates in such a structure?

Additionally, we would appreciate any governance best practices or automation approaches for managing permissions at scale.

Thanks in advance!

Message 3 of 10
371 Views
0
djurecicK2
Super User
Super User
In response to Adit1

‎07-01-2025 09:17 AM

Hi @Adit1 ,

 I'm not sure I can answer all of those questions, but I can try to point you in the right direction to get more information about Fabric and Power BI.

 

There are roles within a workspace that can help you handle many editors and viewers. A best practice is to create groups like an editor and viewer group, assign the appropriate workspace role to each group and then add users to these groups:

https://learn.microsoft.com/en-us/fabric/fundamentals/roles-workspaces

 

If you need more granular permissions within a workspace, you can also assign permissions to specific items within a workspace like so:

https://learn.microsoft.com/en-us/fabric/security/permission-model#item-permissions

 

Here is more information about organizing workspaces. Fabric also has the concept of Domains which group multiple workspaces. 

https://www.youtube.com/watch?v=EP-Sxz_lBC4

https://www.youtube.com/watch?v=H6SmdqFbhE0

 

Here are some best practices around data pipelines:

https://www.youtube.com/watch?v=Zp1xRXJl86E

 

Message 4 of 10
362 Views
Adit1
New Member
In response to djurecicK2

‎07-06-2025 10:39 AM
Hi djurecicK2, Thank you very much for your valuable inputs. I am checking on the roles in workspace and also checked on creating multiple apps in the workspace to manage the permissions for user groups. I understand we can't replicate the granular kind of user acecss policies like we do in Tableau sites and projects. I will check on domains specific access management since this is very critical for us.
Thank you again!
Message 6 of 10
197 Views
0
Adit1
New Member
In response to djurecicK2

‎07-06-2025 10:38 AM

Hi @

Hi djurecicK2, Thank you very much for your valuable inputs. I am checking on the roles in workspace and also checked on creating multiple apps in the workspace to manage the permissions for user groups. I understand we can't replicate the granular kind of user acecss policies like we do in Tableau sites and projects. I will check on domains specific access management since this is very critical for us.
Thank you again!
Preview
 
 
 
Message 5 of 10
200 Views
0

Helpful resources

Announcements
July 2025 community update carousel

Fabric Community Update - July 2025

Find out what's new and trending in the Fabric community.

July PBI25 Carousel

Power BI Monthly Update - July 2025

Check out the July 2025 Power BI update to learn about new features.

View All