This past week, groups in Power BI came up multiple times. This post is to give a quick overview of what you can and cannot currently do with groups in Power BI V2. This info is as of mid Sept 2015; features and functionality are evolving fast and furious so be sure to verify at a later date.
**Updates to this post since it was originally published mid Sept 2015:
- 9/23/15 due to release of new Group sharing functionality
- 10/23/15 due to release of read-only members within Groups
- 11/1/15 due to addition of support for sharing to Active Directory security groups
In V1 of Power BI, I was a big fan of using SharePoint Online sites and document libraries to organize content by subject area and/or serve as a security boundary. Groups are the replacement in Power BI V2 for organizing content and/or securing content for groups of users. Since groups represent an organizational feature, they're only available to Power BI Pro users (not the free version of Power BI).
What Are Power BI Groups?
Groups in Power BI are not really "just" Power BI Groups. Rather, they are Office 365 unified groups which can be used across a number of apps. The type of groups we'll see exposed in Power BI are similar to distribution groups (but a little different from distribution groups & security groups). A new O365 unified group gets a group e-mail account, file space in a OneDrive location, shared calendar, and other collaboration features. You can set up Azure Active Directory Sync (AADSync) to synchronize on-premises AD group members with Office 365 group members.
The first thing to be aware of when evaluating use of groups is that there are multiple types of workspaces in Power BI: My Workspace and Group Workspace. Each type of workspace can contain its own datasets, reports, and dashboards. As you would expect, each user has only one My Workspace whereas there can be numerous Group Workspaces.
To see Groups in the Power BI web portal, click the arrow (chevron) at the top left. It points up or down depending on whether the group list is expanded or not.
Using the + sign you can create a new O365 unified group for use in Power BI.
Each group that the logged-in user is a member of will appear in the list of group workspaces.
How Does Sharing & Security Work with Groups in Power BI?
First let's talk about sharing out of My Workspace. You can share a dashboard with one or more coworkers out of your personal workspace. Note that you cannot share reports or datasets from My Workspace.
Within a Group Workspace, however, you have two choices:
- Share the dashboard with a recipient. Just like in My Workspace, sharing a dashboard is a read-only for the recipient. The recipient will see the shared dashboard within their own personal workspace. Or,
- Add a user as a member of the group. The group members will view the content within the group itself (rather than in their personal workspace).
Therefore, the Group Workspace offers a lot more flexibility than dashboards shared out of My Workspace because group members can utilize dashboards, reports and possibly datasets depending on member permissions.
For all members in a group, the member permissions can be set to either:
- Members can edit Power BI content, or
- Members can only view Power BI content
Notice in the following screen shot how the privacy setting for edit vs. view applies to all members in the group. At the individual member level, I can specify an individual to be Member or Admin. However, what I cannot do is specify the type of member, edit vs view, at the individual user level.
Be sure to devote some time to planning how you want security of groups to work as it relates to delivering content organized by subject area, topic, user base, etc.
What Group Members See in Power BI
For members in a group that are set to view only, note how they don't see the Datasets, nor is the Edit Report menu option enabled:
Alternatively, as you expect, for members with edit capabilities, they see everything in the group, and have the ability to edit all objects in the group:
Ways to Publish Read-Only Content in Power BI
To summarize overall options, there's four ways I'm aware of to share read-only content:
First option is to share dashboards via your personal workspace. That ensures the recipient does receive a read-only copy. In this situation, only one person (the original author that did the sharing) can make edits. **Note: this is not a great practice for critical reporting - if the original author leaves the company, it is a hassle to reset the password and get into their account to retrieve original items--especially because we cannot yet export datasets/reports/dashboards from the Power BI services. It's better to use groups for housing original content that is important to a number of users.**
Second alternative is to share dashboards via group workspace. That ensures the recipient receives a read-only copy. Any group admin or members with edit permissions can edit the original content.
Third way is to add "view only" members to a group. In this case, users will go to the group to view content, rather than their My Workspace. This is helpful when you want to organize content across subject areas. In this situation, only group admins will be able to edit the original content (because *all* members will be view only).
Fourth option is to publish the content via an organizational content pack. Individual users can use the "Get Data" functionality to discover the content. They'll bring the dataset / report / dashboard into their own My Workspace. If the user wishes to make changes, Power BI will prompt them to create a second (personalized) copy. This is a good option, but two copies could get confusing for some users. Also, this isn't a big deal, but it does put the "burden" on individual users to go out and find the content via Get Data. Neither are deal breakers, but something to be aware of depending on the user base. Another thing to keep in mind is that if a user personalizes something they got from a content pack, there's nothing preventing them from turning around and sharing their personalized dashboard back out again.
A Few More FYIs About Using Groups
The view only setting for group members is only acknowledged inside of Power BI. Which means the view only permissions does *not* translate to files in OneDrive for that O365 unified group (though a recent webcast indicated that OneDrive continues to respect the first edit vs. view-only setting that was specified for a group & that a subsequent change would *only* affect Power BI and not OneDrive for the group--definitely test it and see though). Specifically, this impacts Excel files that are uploaded to OneDrive so that Power BI can connect to them and launch an Excel Services window for viewing. As other report types continue to be integrated with Power BI (such as SSRS), it'll be interesting to see how this evolves.
Also, it appears that groups created outside of Power BI don't have the capability enabled to set view-only vs edit permissions for the members. So be sure to keep an eye on this as you're setting things up. If you can create the unified group directly in Power BI, that seems to work most seamlessly.
After a new group has been created in Power BI (or People or OWA), it will appear in the Office 365 Admin Center (you need to have Office 365 administrator privileges in order to get to this area).
I noticed that groups created directly in the O365 Admin Center Groups pane don't show up in Power BI. At first I thought that was a problem. However, after a bit of research, I understand that it's because when using the O365 Admin Center Groups pane (shown in the screen shot above) it's created as a security group rather than the new-fangled O365 group. However, if you create a group through the People section or OWA or Power BI, it'll be created as a the type of group which can be utilized in Power BI like we expect.
Also, I've not had a chance to test this but I've read that if you have any policies set up (for group naming, mailbox policies, etc), the Power BI group creation process isn't necessarily yet aware of all policies. Since by default any user can create a group, some system administrators have set up policies to get around this to avoid disorganization. So you'll want to test that out to verify as well.