Over the years, we’ve developed a perspective on what good governance looks like within the Tableau ecosystem. We wrote an introductory blog about that here and expanded on that with this series. But lately, we’ve been intrigued by Microsoft Fabric, so we’ve decided to apply what we know about governance from Tableau to Power BI and the broader Fabric ecosystem.
If you’re new to Microsoft Fabric, think of it like Tableau Server or Tableau Cloud: a place to develop and share analytics content. But it’s also much broader than Tableau Server or Cloud because it also serves as a unified platform for other parts of the analytics process like data ingestion, data transformation and data science. For this article, we’ll focus analytics content like dashboards (or reports, as they are called in Power BI) since that’s the bulk of the analytics content that end users will interact with in Fabric.
In this mini-series on governance in Microsoft Fabric, we’ll break things down through three different lenses:
- Users: Licenses, Roles and Capabilities
- Content: Organization and Subdivision
- Content: Certification, Promotion, and Deployment
In this article, we’ll cover the essential things related to users.
User Licenses Establish an Upper Limit on Capabilities in Both Tableau and Power BI
An essential foundation to good content governance is ensuring that users have the right roles, capabilities and access. In Tableau, a user’s roles and capabilities are impacted across the entire server by their license level, which can be Viewer (fewest capabilities — can only view and interact), Explorer (medium capabilities — can view and web edit dashboards) or Creator (most capabilities — can create dashboards and data sources).
Above: Current Tableau Cloud license pricing as of February 2024
Power BI (when using Microsoft Fabric as the distribution platform rather than Power BI Service) also has three user license options.
Above: Current Power BI in Fabric license pricing as of February 2024
But the capabilities each license type has also depend on whether the Fabic workspace is in shared or Premium capacity:
Here’s a quick summary of how user licenses establish upper limits on what users can do:
- Free license – This allows users to develop their own Power BI content, though they cannot share it with anyone. Free users can only consume content produced by others if their workspace is in Premium capacity (which costs $5k/month).
- Power BI Pro – This license allows users to create and share Power BI reports with other users who also have a Pro license (as well as free users when working in Premium capacity workspace).
- Power BI Premium – This license allows user to do everything that Pro user can do plus access premium features like more frequent data refreshes, support for larger data models and deployment pipelines to manage the lifecycle of Power BI content. For a full list of Premium features, click here.
It’s important to note that, while individual license pricing may make Power BI seem more affordable, there are many other cost considerations (like the $5k/month cost to upgrade workspaces to premium capacity) that make total cost of ownership a much more nuanced calculation.
Roles Can Fine Tune Users’ Capabilities, but You Have More Options in Tableau
In Tableau, users can be assigned site roles to establish their capabilities across an entire site. These roles generally align with users’ licenses (Viewer licenses get viewer roles, Creator licenses get Creator roles) but users can technically be downgraded (a user with an Explorer license might have explorer capabilities on one site but only viewer capabilities on another site).
Tableau also allows you to fine-tune user capabilities by altering permissions at the project level or even for individual pieces of content. You can override the default permissions set by a user’s site role if you want to restrict their ability to filter, download images or data or a variety of other capabilities.
Above: In this image, we can see that Maris has custom permissions for this project, restricting her ability to do things like download full data.
In Power BI, users’ roles are set at the workspace level. (We’ll talk about workspaces in the next article, but for now think of them like folders.) While users with free licenses can only be assigned a Viewer role, all other license types can be assigned any of the four roles: Viewer, Contributor, Member or Admin. Below is a summary from Microsoft of the Power BI-related capabilities for each role:
Unlike Tableau, once a users’ role has been assigned for a workspace, there are not many options for customizing their capabilities for groups or individual pieces of content. For the most part, users are locked into the capabilities of their role within that workspace and their capabilities apply to all content shared in that workspace (unless you apply restrictions to the data source via row-level or object-level security).
If you want to adjust permissions for individual content within Fabric, the only option you can edit is whether Contributors or Viewers have the ability to reshare content. Members and Admins have all content permissions and that cannot be changed unless you adjust their role.
Above: Unlike Tableau, Fabric and Power BI only allow minor adjustments to role capabilities at the content level
A Brief Note About User Groups to Wrap Up
Licenses and roles are the most important aspects that affect user capabilities, but we should also say a brief word about how user groups can be leveraged in Tableau and Power BI. In Tableau, you can create groups directly in Tableau Server or Tableau Cloud to manage permissions at the group level, rather than individual user level. Organizations often sync these groups from an identity management system, like Active Directory.
Power BI users cannot create their own user groups directly from the Power BI experience in Microsoft Fabric. Groups are maintained further upstream through Microsoft Entra (formerly Azure AD) which allows Fabric to use those groups throughout all its experiences (Power BI, Data Factory, Synapse, etc.). In order to access group management options, users need to have a Fabric admin role, so people who play a Power BI admin role will likely need to work with their Fabric administrators to ensure they have appropriate groups.
That covers the important basics about users, licenses, roles and capabilities. We’ll continue this governance series with tips about content organization next. Check below if you’d like to read on!