The ultimate Microsoft Fabric, Power BI, Azure AI, and SQL learning event: Join us in Stockholm, September 24-27, 2024.
Save €200 with code MSCUST on top of early bird pricing!
Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started
Dear community,
I have a question regarding the ownership of semantic models in a large organization. Currently, all our semantic models are owned by individual users, even those that are placed in "Production" workspaces.
Now, let's consider the following scenarios:
What is the recommended approach to avoid these kinds of situations?
Solved! Go to Solution.
Give permissions to the affected workspace(s) to user remaining in the company.
That users can "take over" the semantic models and afterwards (hopefully) renew the personal user-based cloud connections without issues. To renew personal use-based auth they need access to the sources of course.
Depends on how you have designed your access policies.
Regards.
This is a similar issue with large on-premises analysis service systems.
Do not have the ownership as a user.
Instead, create a 'service account' in Azure Active Directory (I think it is called Entra Id now) that an Power BI administrator has the password for. You need to assign a Power BI Pro license to this new user. Login to app.powerbi.com with the 'service account' credentials and Take Over by this user. Now, you need to have the 'service account' granted permissions to data sources in order to refresh the data.
If a normal user deployes a new model, it will overwrite the model but not the credentials.
Some poeple might say use a service principal, but service principals cannot be granted access to data sources, so you are still stuck with the same problem. Others might say to use credentials in a Data Gateway, still use a 'service account' for this.
This is a similar issue with large on-premises analysis service systems.
Do not have the ownership as a user.
Instead, create a 'service account' in Azure Active Directory (I think it is called Entra Id now) that an Power BI administrator has the password for. You need to assign a Power BI Pro license to this new user. Login to app.powerbi.com with the 'service account' credentials and Take Over by this user. Now, you need to have the 'service account' granted permissions to data sources in order to refresh the data.
If a normal user deployes a new model, it will overwrite the model but not the credentials.
Some poeple might say use a service principal, but service principals cannot be granted access to data sources, so you are still stuck with the same problem. Others might say to use credentials in a Data Gateway, still use a 'service account' for this.
@3CloudThomas, @sergej_og, Thank you, guys! Both of your answers confirmed our thoughts. We now need to decide whether to create 'technical accounts' and determine how many of these accounts we need, considering the cost of the PRO license. Alternatively, we could continue using personal accounts as owners, but we would need to establish proper governance for individuals who leave the organization.
Give permissions to the affected workspace(s) to user remaining in the company.
That users can "take over" the semantic models and afterwards (hopefully) renew the personal user-based cloud connections without issues. To renew personal use-based auth they need access to the sources of course.
Depends on how you have designed your access policies.
Regards.
Join the community in Stockholm for expert Microsoft Fabric learning including a very exciting keynote from Arun Ulag, Corporate Vice President, Azure Data.
Check out the August 2024 Power BI update to learn about new features.
Learn from experts, get hands-on experience, and win awesome prizes.
User | Count |
---|---|
52 | |
22 | |
11 | |
11 | |
9 |
User | Count |
---|---|
112 | |
32 | |
30 | |
20 | |
19 |