Reply
MorelG
Frequent Visitor

Semantic model ownership in a large organization

‎06-26-2024 04:04 AM

Dear community,

I have a question regarding the ownership of semantic models in a large organization. Currently, all our semantic models are owned by individual users, even those that are placed in "Production" workspaces.

Now, let's consider the following scenarios:

  1. When a user leaves the organization, the scheduled refreshes of their models start to fail.
  2. Cloud connections are mostly linked to the owner's personal account.

What is the recommended approach to avoid these kinds of situations?

Labels:
Message 1 of 7
1,962 Views
0
2 ACCEPTED SOLUTIONS
sergej_og
Super User
Super User

‎06-26-2024 06:26 AM

Give permissions to the affected workspace(s) to user remaining in the company.
That users can "take over" the semantic models and afterwards (hopefully) renew the personal user-based cloud connections without issues. To renew personal use-based auth they need access to the sources of course.
Depends on how you have designed your access policies.

Regards.

View solution in original post

Message 2 of 7
1,933 Views
3CloudThomas
Super User
Super User

‎06-26-2024 06:30 AM

This is a similar issue with large on-premises analysis service systems.

Do not have the ownership as a user.

Instead, create a 'service account' in Azure Active Directory (I think it is called Entra Id now) that an Power BI administrator has the password for. You need to assign a Power BI Pro license to this new user. Login to app.powerbi.com with the 'service account' credentials and Take Over by this user. Now, you need to have the 'service account' granted permissions to data sources in order to refresh the data.

If a normal user deployes a new model, it will overwrite the model but not the credentials.

 

Some poeple might say use a service principal, but service principals cannot be granted access to data sources, so you are still stuck with the same problem. Others might say to use credentials in a Data Gateway, still use a 'service account' for this.

View solution in original post

Message 3 of 7
1,930 Views
6 REPLIES 6
3CloudThomas
Super User
Super User

‎06-26-2024 06:30 AM

This is a similar issue with large on-premises analysis service systems.

Do not have the ownership as a user.

Instead, create a 'service account' in Azure Active Directory (I think it is called Entra Id now) that an Power BI administrator has the password for. You need to assign a Power BI Pro license to this new user. Login to app.powerbi.com with the 'service account' credentials and Take Over by this user. Now, you need to have the 'service account' granted permissions to data sources in order to refresh the data.

If a normal user deployes a new model, it will overwrite the model but not the credentials.

 

Some poeple might say use a service principal, but service principals cannot be granted access to data sources, so you are still stuck with the same problem. Others might say to use credentials in a Data Gateway, still use a 'service account' for this.

Message 3 of 7
1,931 Views
pdolan_tapco
Frequent Visitor
In response to 3CloudThomas

‎12-12-2024 07:53 AM

What if you now have MFA, this limits the access of the service account to only one user, does anyone know of a solution for this? (or is this just job security)

Message 5 of 7
1,005 Views
0
PrashantC
Frequent Visitor
In response to pdolan_tapco

‎01-31-2025 08:29 AM

We had some cases of "Microsoft Auth token refresh" which forced many of the model owners to refresh their credentials. I presume this would impact the service accounts too. Can such credential refresh be scrupted for all datsets owned by a user or service account?

Message 7 of 7
605 Views
0
3CloudThomas
Super User
Super User
In response to pdolan_tapco

‎12-12-2024 08:15 AM

The service account would have to have the MFA turned off. The IT Security or Infrastructure team would manage the credentials to insure no one uses the service account for anything else but the connection and semantic model ownership.

Message 6 of 7
996 Views
0
MorelG
Frequent Visitor
In response to 3CloudThomas

‎07-01-2024 05:51 AM

@3CloudThomas, @sergej_og, Thank you, guys! Both of your answers confirmed our thoughts. We now need to decide whether to create 'technical accounts' and determine how many of these accounts we need, considering the cost of the PRO license. Alternatively, we could continue using personal accounts as owners, but we would need to establish proper governance for individuals who leave the organization.

Message 4 of 7
1,888 Views
0
sergej_og
Super User
Super User

‎06-26-2024 06:26 AM

Give permissions to the affected workspace(s) to user remaining in the company.
That users can "take over" the semantic models and afterwards (hopefully) renew the personal user-based cloud connections without issues. To renew personal use-based auth they need access to the sources of course.
Depends on how you have designed your access policies.

Regards.

Message 2 of 7
1,934 Views
avatar user

Helpful resources

Announcements
March PBI video - carousel

Power BI Monthly Update - March 2025

Check out the March 2025 Power BI update to learn about new features.

March2025 Carousel

Fabric Community Update - March 2025

Find out what's new and trending in the Fabric community.

Stop
View All
Top Solution Authors (Last Month)
View All
Top Kudoed Authors (Last Month)
View All