Govern workspace access

A short guide laid out the four workspace roles — Viewer, Contributor, Member and Admin — and explained why locking those roles down reduces accidental exposure of sensitive reports and data. (learn.microsoft.com) For finance teams sharing profit-and-loss and working‑capital dashboards, the practical change is simple: distribute polished executive reports as a published app (a bundled, read‑only package of dashboards and reports) and keep raw models and datasets in restricted workspaces to avoid ad‑hoc copying or edits. (learn.microsoft.com 1) (learn.microsoft.com 2) The role definitions are straightforward: Viewer can open and interact with dashboards and reports but cannot edit content or change workspace settings (read‑only access). (learn.microsoft.com) Contributor can create and update reports, datasets, and dataflows inside the workspace (development work) but normally cannot manage membership or app permissions. (radacad.com) Member has all Contributor capabilities plus the ability to publish, update, or unpublish the workspace app (the packaged view sent to executives). (radacad.com) Admin has full control, including changing roles, deleting the workspace, and managing workspace settings. (learn.microsoft.com) Two operational controls matter for governance: licensing and dataset permissions. Most edit and publishing actions require Power BI Pro or Premium Per User licenses, while simple viewing and interacting does not; and dataset “Build” permission — which lets a user create new reports off a shared semantic model — can be granted separately so analysts can build models without gaining full edit rights. (learn.microsoft.com 1) (learn.microsoft.com 2) Concrete setup that aligns with driver‑based FP&A: keep source ledgers and canonical semantic models in an Admin‑restricted production workspace; give Contributors a separate development workspace to build and test reports; grant Build permission only to senior analysts who need to author driver‑based scenarios; publish a curated app (Viewer audience) that surfaces revenue, margin, and working‑capital KPIs and single‑page executive narratives. (learn.microsoft.com) (learn.microsoft.com) Use row‑level or object‑level security on the semantic model to enforce data visibility (for example, hide cost‑center columns or limit rows by region) so the Viewer app can safely expose executive metrics while sensitive detail stays locked in the model. (learn.microsoft.com) (learn.microsoft.com) A tight rule set to enforce immediately: limit Admins to workspace owners, reserve Member role for deployment managers who publish apps, assign Contributors only in development workspaces, and distribute executive content via app audiences and security groups rather than per‑user workspace membership. (radacad.com) (learn.microsoft.com)