Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Don't miss out! 2025 Microsoft Fabric Community Conference, March 31 - April 2, Las Vegas, Nevada. Use code MSCUST for a $150 discount. Prices go up February 11th. Register now.

Reply
MorelG
Frequent Visitor

Semantic model ownership in a large organization

‎06-26-2024 04:04 AM

Dear community,

I have a question regarding the ownership of semantic models in a large organization. Currently, all our semantic models are owned by individual users, even those that are placed in "Production" workspaces.

Now, let's consider the following scenarios:

  1. When a user leaves the organization, the scheduled refreshes of their models start to fail.
  2. Cloud connections are mostly linked to the owner's personal account.

What is the recommended approach to avoid these kinds of situations?

Labels:
Message 1 of 6
1,312 Views
0
2 ACCEPTED SOLUTIONS
sergej_og
Super User
Super User

‎06-26-2024 06:26 AM

Give permissions to the affected workspace(s) to user remaining in the company.
That users can "take over" the semantic models and afterwards (hopefully) renew the personal user-based cloud connections without issues. To renew personal use-based auth they need access to the sources of course.
Depends on how you have designed your access policies.

Regards.

View solution in original post

Message 2 of 6
1,283 Views
3CloudThomas
Super User
Super User

‎06-26-2024 06:30 AM

This is a similar issue with large on-premises analysis service systems.

Do not have the ownership as a user.

Instead, create a 'service account' in Azure Active Directory (I think it is called Entra Id now) that an Power BI administrator has the password for. You need to assign a Power BI Pro license to this new user. Login to app.powerbi.com with the 'service account' credentials and Take Over by this user. Now, you need to have the 'service account' granted permissions to data sources in order to refresh the data.

If a normal user deployes a new model, it will overwrite the model but not the credentials.

 

Some poeple might say use a service principal, but service principals cannot be granted access to data sources, so you are still stuck with the same problem. Others might say to use credentials in a Data Gateway, still use a 'service account' for this.

View solution in original post

Message 3 of 6
1,280 Views
5 REPLIES 5
3CloudThomas
Super User
Super User

‎06-26-2024 06:30 AM

This is a similar issue with large on-premises analysis service systems.

Do not have the ownership as a user.

Instead, create a 'service account' in Azure Active Directory (I think it is called Entra Id now) that an Power BI administrator has the password for. You need to assign a Power BI Pro license to this new user. Login to app.powerbi.com with the 'service account' credentials and Take Over by this user. Now, you need to have the 'service account' granted permissions to data sources in order to refresh the data.

If a normal user deployes a new model, it will overwrite the model but not the credentials.

 

Some poeple might say use a service principal, but service principals cannot be granted access to data sources, so you are still stuck with the same problem. Others might say to use credentials in a Data Gateway, still use a 'service account' for this.

Message 3 of 6
1,281 Views
pdolan_tapco
Frequent Visitor
In response to 3CloudThomas

‎12-12-2024 07:53 AM

What if you now have MFA, this limits the access of the service account to only one user, does anyone know of a solution for this? (or is this just job security)

Message 5 of 6
355 Views
0
3CloudThomas
Super User
Super User
In response to pdolan_tapco

‎12-12-2024 08:15 AM

The service account would have to have the MFA turned off. The IT Security or Infrastructure team would manage the credentials to insure no one uses the service account for anything else but the connection and semantic model ownership.

Message 6 of 6
346 Views
0
MorelG
Frequent Visitor
In response to 3CloudThomas

‎07-01-2024 05:51 AM

@3CloudThomas, @sergej_og, Thank you, guys! Both of your answers confirmed our thoughts. We now need to decide whether to create 'technical accounts' and determine how many of these accounts we need, considering the cost of the PRO license. Alternatively, we could continue using personal accounts as owners, but we would need to establish proper governance for individuals who leave the organization.

Message 4 of 6
1,238 Views
0
sergej_og
Super User
Super User

‎06-26-2024 06:26 AM

Give permissions to the affected workspace(s) to user remaining in the company.
That users can "take over" the semantic models and afterwards (hopefully) renew the personal user-based cloud connections without issues. To renew personal use-based auth they need access to the sources of course.
Depends on how you have designed your access policies.

Regards.

Message 2 of 6
1,284 Views

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

Jan25PBI_Carousel

Power BI Monthly Update - January 2025

Check out the January 2025 Power BI update to learn about new features in Reporting, Modeling, and Data Connectivity.

Jan NL Carousel

Fabric Community Update - January 2025

Find out what's new and trending in the Fabric community.

View All