SqlSat Victoria governance for PowerBI

Governance for PowerBI
Yana Berkovich
@yana_Berkovich
YanaBerkovich.com

Please Thank & Support our Sponsors
Silver Sponsor:
SQL Saturday is made possible with the generous support of these sponsors.
You can support them by opting-in and visiting them in the sponsor area.
Bronze Sponsor:
Global Alliance Partner: Venue & Internet Sponsor:
Operations Support:
Endless Support from:
OGMA Consulting Corp.

About Me
BI Analyst & DEV, Data Platform MVP
Consultant, Product Manager
Member of BI, BA, SharePoint, O365, PM communities
Data Platform Consultant & O365 Consultant –
https://www.linkedin.com/in/yanaberkovich
http://yanaberkovich.com
@Yana_Berkovich

Agenda
What is Governance?
Information Access Policy Groups/Workspaces
Sharing vs Publishing
Licensing Policy – Who is important enough??
Visual Governance
Reporting the reports
Enforcing?
Best Practices and Lessons (already) Learned…

What is Governance? (In the IT context)
A formal framework that provides a structure for
organizations to ensure that IT investments support
business objectives.
ITIL – Information Technology Infrastructure Library is a
Governance Framework
GRC – Governance Risk & Compliance is another
Framework established in 2000 in US for large
corporations
ISO 27001 – is the IT related framework

What are we using PowerBI for?
Connect to
Data sources
Create
Reports/
dashboards/
Applications
Collaborate
and Share
Access Data
Insights

What is currently part of PowerBI
Power BI desktop
Power BI Desktop is the report authoring tool - https://powerbi.microsoft.com/en-us/desktop
Access data from various data sources and transform them for your reporting needs
Power BI Service – Pro/ Premium (Capacity, Licensing and Monitoring)
Browser based portal - https://app.powerbi.com
Share and collaborate with your collogues and wider audience
PowerBI Report Server
On premise solution for organizational reporting
PowerBI Mobile
Mobile Application, can be connected to your PowerBI on pemise or the cloud
PowerBI Data Gateway
Install in your organization, to enablesecure data connection (same as for PowerApps)
Embeded Analytics
PowerBI in Azure, set powerBI when needed, in the Azure portal
Use PowerBI REST API & JS to embed in your applications

It is Self Service BI so why
Governance?
Don’t let it be the new white elephant
Fast corporate reporting
Measure the usability and the impact of your
reporting
Information security
Corporate Culture
Regulations
Reporting to Stakeholders

The Essential Slide to understand where
the data goes and where it comes from
Apps
Reports
O365
Premium with
dedicated
storage
Server

Data Lifecycle
Create
Store
UseShare
Archive
Delete

Where is Governance involved?
Who can Edit?
How and who access Data Source?
Templates and custom visuals to use
On
Prem
DB
Direct Query?
Cash/import data?
Who can consume?
Similar across devices?
Special authentication?
Design
Data Integrity
Scheduled
connections

O365 tools to help Data Governance
Data Retention –
Labels
Policies
Sharing – Groups vs Workspaces
Archiving – if the data source in
o365
Delve – Check the results to find
slips in data governance

Let’s start with the most celebrated topic…
(Credits: @geek_king)

Security
Dave against the information security – the human error
When sharing publicly - I can tweet it and everybody in the world can see! It is just a link
Sending the reports as a .pbix file– no encryption, no permissions, anyone can download
desktop version and access
Well print screens…
Watch the groups! Who is in your group/Workspace? Does she still work here?
Is the report shared with all the group members?
What are the specific roles assigned to group members?
How is it different from O365? It is!
Create alerts for access/changes in groups
Create group review schedule
Premium capacity – dedicated access report

Data Security – Who can Access my data??
Access Management can be done through groups to the groups Workspace
The Access management through groups can be done directly in O365 –
People or through PowerShell
External Business Users with O365 B2B
Premium capacity - External users including token based authentication
Premium gives
view access to
entire org
Pro – only
other Pro users
can view
B2B/ Embedded
gives external
share

The “Old Workspace”
How to add people to your Group?
Use Groups to manage peoples
access to your PowerBI
Workspaces
Similar to Outlook distribution lists
Permissions types:
Owners
Guests
Governance – You have a
group I have a group
Everybody can have a
group!!!!!
Vignesh's SharePoint Thoughts

Directory Management – Groups
Policy in azure ad allows admin to restrict group creation only on outlook and all group applications
Multi domain support
Working on policy for group expiry
Hidden membership
Separate groups by corporate policy type – will follow other organizational content
Usage guidelines
Multi domain and creating groups in specific domain
Usage reporting
Hybrid – support for groups solution for Hybrid scenario
Remember Dave! Check who is in your group and set policies

The “New Way”
Add the permission directly to your workspace
No O365 groups are involved
Internal Azure AD users
B2B users that are trusted
Permissions types:
Member
Admin
Contributor

The B2B challenge /opportunity
Trust on the Azure AD level can be established between organizations
The users from one company can be added to another, recently with EDIT
permissions
Scenarios:
 Consultants & support don’t need another license
 Clients and partners can share reports
X Manage additional security layer
X More data bridges and “Dave” problems

PowerShell helps bringing security
governance to life
Connect to Azure AD – the place where the access is managed
List of roles in tenant
Command:
Add the user to the role:
See what Dave is up to in his roles

Access control
Granular access control on who can view the data
RLS- data is presented based on permissions user has
The general rule still applies:
Premium gives view access to entire org
Pro – only other Pro users can view
so no we cannot assign roles to people outside the group
and expect them to see

Row Level Security inside the report
Roles are assigned in the PowerBI top menu, designed to customize which information can be viewed based on
DAX query filters on the dataset level

Access control – Overview
Workspace – grant access to all reports and their data sets so they can be edited
Application – Publish some of the reports and allow users to view without editing
Embed report – add report to application and use its authentication
Inside the report – RLS users to see their data according to their internal permission
Additional capabilities:
Limit download
Limit access to data set
Allow/deny users to publish

Reporting and tracking Access & Usability
Enabling the data collection for usage metrics for each
repot.
To view and collect for the entire organization all reports
– O365 admin portal

Where my data is? Premium Capacity
Compliance with the local rules (GDPR)
Premium capacity location

Data Sources – how to connect?
Install data gateway – Why do we need data Gateway?
Personal data Gateway – not for organizations, will not work for other users
Organizational/on premise– set with organizational user – password expiry and security
Configure the gateway in the report refresh, to avoid entering credentials
Create Application user
Enable organizational access, set the user to access the data source (SQL)
Data Refresh
Online - Defined on the Data Set not the individual report or dashboard
Report Server on premise – Access and permissions are defined on the folder level
Gateway has to be online and reachable – is your machine on?
Direct Query Access – Online Synchronization
Same user that is creating the PowerBI report has to publish it (Application or Admin)
A report can have multiple data sources,
A report cannot be Direct Query and multiple data source
Direct Query report has to have only 1 data base/source to access!

Who is Important Enough??
For more information check PowerBI.com
Or great webinar by Ted Pattison – MVP, who starts with all the licensing options Link
He is also speaking here 
Free Pro License Premium
License
Report Server
(SQL 2017 or
PowerBI
Reporting)
Azure on
demand

Publishing vs Sharing
Using PowerBI App – Allows permissions, push
to group, selective publishing of content,
“production” environment
Publish content pack
Publish to Web – an addiction of many
Embed in Azure
Publish in the Report Server

Report Server security and publishing
Edit permissions from AD groups not O365 groups
Publish report by folder
Define refresh policies

Publishing and Sharing & the end of content packs
How are apps different from content packs?
Apps are an evolution and simplification of content packs
Which helps enabling governance policy?
APPS Content Packs Governance
Maintain Grouping and Identity loses its grouped identity: it's just a
list of dashboards and reports
Apps – Identity and data access
1:1 Workspace to App (to
group…)
Multiple content packs from
workspace
CP – Different content vs. continue
based on group
Allows selective publishing Allows selective publishing Both
Push notification when created
to users, link the app
Send the content pack, link report or
dashboard
Apps – linkable, single source of truth
The way to publish your content Will be deprecated Why didn’t I just start here???

Software Development Lifecycle in PowerBI
The “Old Way”
Dataset
Reports
Dashboards PowerBI App
Workspace -
Dev
Workspace Test
Dataset
Reports
Dashboards
Prod – Entire
organization
Group Workspace
Prod
Dataset
Reports
Dashboards
Site
SharePoint/
Web
PowerApp
Selective Publishing
Can Directly connect through API

The “New Way” Azure Dev Ops
Stage 1
Create repository of .pbix files
Use Git commands to commit the report
Stage 2
Use pipeline to deploy the report in the portal
(multiple authentication not supported yet)

The “New Way”
Option 2:
Release management for application in the
workspace

Visual Governance
Branding – Why you should come to the Vancouver PowerBI user group 
Scott Stauffer presented in Nov
Templates - Reports colors, Color scheme, fonts, frame sizes…
Corporate Layouts -
Pie Charts – do not use pie charts!
Visual Templates – Entire workspace
Max visuals per page
Mobile page definitions
Organizational Custom Visuals
Gallery (Feb release) (Amanda Cofsky)

Data Visualization Recommended Best practices (Rules)
Do not use pie Charts (Storytelling with data)
Use the 9 gestalt principles
Add Tooltip
Add Data Labels
Avoid not necessary lines / colors
One glance

(Release link
Sep)
Theme
Colors
Fonts
Text Size
Data Labels control (not for the custom
visuals)
Report Theme Generator for the UI
Designers LINK
Theme creation for the color match
challenged LINK
(Thank you Charles Sterling!!!)

What are the custom visuals and where to
find them?
How do we use them?
Can be added as a file
Can be added from the store
Can be created
My Company store – Amanda Cofsky
(February release )

What can go wrong and how governance
helps?Filters -Not always filtering correctly –
specify which visuals are approved to use in your organization consider
customizing according to themes
Usually Themes are not effective –
Decide if it is important and follow through/ customize with R
Code might not be updated
Visuals review after every release or some of them by your PowerBI admin
Maps support different coordinates
Data integrity for coordinates (I have manually changed in 134 buildings…)
Mobile display
SDL in every PowerBI implementation
R Scrip installation
Dashboard crashing…too many visuals ahhh
Guidance specific to your organization on Dashboard and Reports UI

Which Enforcing
tools have we got?
Templates and Visual Guides – can be overridden
Publishing methods are restricted (Premium vs Pro)
Monitor the views and reports – log view/Embeded
Create alerts and policies for suspicious activity –
Using other tools – Embedded
Applications across devices – Where the
application can be viewed – more control

Enabling the
Governance
• Export and Sharing
• Can people publish to the
web?
• Can data be exported?
• PowerPoint is still in
Preview, should we use
that and risk complains?
• Print settings (Dave still
got print screen )

Premium Capacity Advanced Governance Portal
Users
Access
Capacity
Data – Datasets, refresh, measures efficiency,
visuals usage
Premium Capacity Metrics
(All pictures from
Microsoft site
PowerBI.com
not customer data)

Embedded
Embed the Analytics in the PowerBI
app
Use the Azure to add the analytics to
your app and analyze its usage
https://azure.microsoft.com/en-
us/services/power-bi-embedded/
Decision making regarding the app
usability, control and publishing

Who published what
when and is it still active?
The full list of all your
embed reports
Who published them and
where can they be found
Usage and other metrics
in premium or the PowerBI
Imbedded on Azure

Mobile App – Microsoft InTune Software
publisher
Configuring publishing and other
app policies for PowerBI mobile
applications on iphone
Adding Conditional Access
Features
PowerBI Application in your
organization
Corporate device enrollment
Adding the App URL into the
Intune software

Reporting the Reports Audit Logs – O365
Admin
Audit Logs –
Gives the log list starting mid November for usability
Can be exported and report can be created

Audit Logs through Embedded and
Azure
provides reporting on the entire PowerBI usage in the organization
No of users
Users Accesses
Access by date
Data Refresh – scheduled and performed
Gateway Lifecycle – active and used
Pro Trial status (preview feature)
Usability reports for each App
Usability reports for dashboards
User Access reports

Access Reports about the Reports
O365 Admin portal PowerBI Preview -
https://portal.office.com/adminportal/home#/reportsUsage
AdminPortal in your PowerBI console online
https://app.powerbi.com/admin-portal
Embeded via Azure
https://azure.microsoft.com/en-us/services/power-bi-embedded/
PowerBI Premium – control over performance and scale –
Organization wide control for access and queries
Enables Performance review – which reports and apps are the most
used?

How fast is our dashboard?
New Too- Performance Inspector
Helps optimizing the performance

Lessons Learned
Design your governance policy ahead of starting – Framework
Data Security
Data Integrity
Access
Visual
Monitoring
Licensing decisions
Design your KPI’s around PowerBI – Where are you going and why?
Build the process automate it

Not the best Practices
Organizational Practice Result
To save on licensing cost, the reports
are simply shared via SharePoint and
emails using the Share to Web
Cashing and importing all the data
instead of using direct query
Not creating the mobile view
Creating a group for each report
Overloading custom queries and
heavy visualization
The cashed data is completely exposed
The data synchronization is done to multiple
sources resulting data caps reached
The data quote of 10G per group is running out, the data
sets cannot be updated anymore
Data Integrity in case of no Sync or communication lost
for live DB
Frustrated mobile users – adoption is affected
Too much mobile data used
Presentation is not fir for screen
Shared data cannot be viewed, report versions are
becoming common, leads to lack of single source of truth in
visualization
Slow performing reports, error messages when some data
access might be wrong

1. What Business Question does the visualization help us
solve?
2. What data driven decision will it help making?
3. Who is going to see the data visualization?
4. Where is the data coming from?
Summary not just for the Governance part…

To sum it all up
Policies
Rules and regulations
Frequent reports
Check where does Dave belong and create processes
around adding and terminating employees and partners

Data Sources:
PowerBI.com – community, blog, site
Guy in the Cube https://www.youtube.com/watch?v=PQRbdJgEm3k
ignite 2017 Governance in PowerBI
https://www.youtube.com/watch?v=G6yZigZ2Jt8
Brett Powell MVP Frontline Analytics
https://insightsquest.com/2017/09/30/power-bi-enterprise-deploy-and-
govern-presentation-from-ignite-2017/
Mastering Microsoft PowerBI https://www.amazon.com/Mastering-Microsoft-
Power-Brett-
Powell/dp/1788297237/ref=sr_1_1?s=books&ie=UTF8&qid=1510881535&sr
=1-1&keywords=mastering+power+bi
PowerBI Data Governance White paper- https://docs.microsoft.com/en-
us/power-bi/service-admin-governance

Thanks 
Yana Berkovich
⎼ @yana_berkovich
⎼ yana@yanaberkovich.com

SqlSat Victoria governance for PowerBI

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à SqlSat Victoria governance for PowerBI

Similaire à SqlSat Victoria governance for PowerBI (20)

Plus de Berkovich Consulting

Plus de Berkovich Consulting (20)

Dernier

Dernier (20)

SqlSat Victoria governance for PowerBI

Notes de l'éditeur