How to Differentiate Between Directly Shared Acces...

Neeraj_I · ‎09-17-2024

I'm looking for a scalable method to differentiate between users with directly shared access and those with workspace-level access in Power BI. Specifically, I need to collect and categorize details of access for a workspace.

For example, for a workspace named TESTWorkspace, I want to differentiate between:

Direct Access:
- XYZ@testemail.com - Read
- XYZ@testemail.com - Read Reshare
- XYZ@testemail.com - Read Write
Workspace Level Access:
- XYZ@testemail.com - Contributor
- YZ@testemail.com - Contributor
- YZ@testemail.com - Contributor
- XYZ@testemail.com - Viewer

As a Fabric Admin, I can view workspace roles and users through the admin portal on app.powerbi.com, but I cannot see details of direct access or permissions at the report level.

Does anyone have a scalable method or solution to extract and differentiate these access details effectively? Any help or guidance would be greatly appreciated!

Thanks in advance.

Anonymous · ‎09-18-2024

Hi, @Neeraj_I

May I ask if you have gotten this issue resolved? If it is solved, please share your solution and accept it as solution, it will be helpful for other members of the community who have similar problems as yours to solve it faster.

If it is not resolved, We hope you can provide us with more detailed information about your problem, and we will do our best to help you solve the problem you are experiencing.

I hope my suggestions give you good ideas, if you have any more questions, please clarify in a follow-up reply.
Best Regards,
Fen Ling,
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Neeraj_I · ‎09-20-2024

Thank you for the intital reply.

I'm looking for the logs that contain a column called 'Permissions.' This page becomes visible when I open the 'Manage Permissions' of any report. I can see two types of details, which I've marked in the screenshot below.

The first section shows a list of users and their permissions, which were added at the report level, either through sharing by someone with read and reshare access.
The second section displays a list of users or groups that were added at the workspace role level. For instance, if someone has contributor access, it will show "Workspace Contributor."

This column can help differentiate between two types of users: those who were added through workspace access via role assignment and those who were directly added or shared at the report level.

While our audit tool captures most of the details, we currently lack a way to identify the access method. I would like to create a field that clearly identifies this, with an output similar to the following:

I need answers for the below.

Which users have been granted direct access to a report, and to which workspace does that report belong?
Which users or groups have access to all the reports in a workspace?
Which users or groups have been assigned roles within the workspace, and what specific roles have they been given?

This process will help us identify the list of workspace owners who are sharing reports directly with end users. We aim to reach out to these owners and promote widely shared reports as an application, where access can be centrally managed through an AD group. This approach will reduce ambiguity and ensure better control and maintenance of access permissions.

Anonymous · ‎09-22-2024

Hi, @Neeraj_I

When you open the corresponding workspace, you can see what reports, semantic models, dashboards, etc. exist in that workspace:

For reports in a workspace, you can manage permission to see which users have been granted direct access:

Then you can see what roles are assigned to users in the workspace in the workspace's manage access:

In workspace, different roles have different permissions:

Roles in workspaces in Power BI - Power BI | Microsoft Learn

I hope my suggestions give you good ideas, if you have any more questions, please clarify in a follow-up reply.
Best Regards,
Fen Ling,
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Neeraj_I · ‎09-23-2024

Thank you so much @Anonymous for taking the time to explain with screenshot.

As a tenant admin, I'm responsible for managing access to over 10,000+ workspaces and 30,000+ reports across our organization. While I understand that roles assigned to a workspace automatically grant certain permissions, I'm facing a challenge in identifying users who have only been granted access to specific reports without having roles assigned at the workspace level.

Currently, it's possible to check report permissions and workspace roles manually by navigating to the "Manage Permission" section of each report and workspace. However, this manual process is unsustainable at scale given the size of our tenant.

What I need:
I'm looking for a way to extract this data at a granular level—essentially a raw dataset that includes:

Users assigned roles at the workspace level.
Users who have been given permissions only to specific reports without any workspace roles.

This data will allow me to build a comprehensive report to answer key questions such as, "Who has access to limited reports but no roles at the workspace level?"

Sample scenario:

If a role is assigned to a user at the workspace level, it grants them permissions across all reports within that workspace. However, if a report is shared directly with a specific user, they will only receive permissions for that particular report and won't be assigned a role at the workspace level.

Example:

Let's say Workspace A contains 10 reports.
User X is assigned the "Contributor" role in Workspace A. This means User X has permissions to edit and manage all 10 reports in the workspace (Read Reshare).

However, imagine User Y is not assigned any role in Workspace A, but a specific report, Report 5, is shared with them. In this case:

User Y will only have permissions to view or interact with Report 5 (depending on the sharing settings).
User Y won't be able to access any other reports in Workspace A, and they won’t appear in the workspace’s list of users with assigned roles.

This distinction is important for tracking permissions across your environment, as users can have granular report-level access without appearing in the workspace’s role list.

Why API access is needed:
Manually consolidating this data by going through each report and workspace would be extremely time-consuming. I need a solution that leverages APIs to retrieve this information for all workspaces and reports across our tenant, so that I can efficiently build and automate reports to monitor user access and security compliance.

Has anyone tackled a similar issue, or could you point me to the relevant API endpoints or scripts to help achieve this? Any suggestions or insights would be greatly appreciated!