Managing Groups

Assign tenant-level permissions for your users

Groups Overview

As a global administrator for your Reporting Hub, you decide which tenants can be accessed by your respective users, as well as the level of access they’ll be granted. User access is organized into groups according to the authentication scheme you’ve set up.

If you’re using Azure Active Directory, the Active Directory users/groups you've specified for your tenant will automatically appear in your Manage Groups settings. (To learn how to assign AD groups/users to a tenant, see Tenant Admin.)

Good to Know: While Azure Active Directory is the default scheme, other forms of user management can also be synced with the Reporting Hub.

See Authentication Admin for more information.

Groups Relationship to Authentication Scheme

The Reporting Hub uses security groups to simplify access management to reports. Security groups belong to the authentication scheme. As such, if you switch from one authentication scheme to another, any groups that were previously assigned to reports will be removed. You will need to go to Manage Groups and synchronize again. All permissions will need to be configured again for each report.

App Roles

Each App Role corresponds to a specific set of permissions within a tenant:

  • User: A User can only view content.

  • Content Administrator: A Content Administrator has full access to Navigation Settings. They can create and edit Categories, as well as any Power BI content to which their tenant has been granted access. (To learn how to assign tenants access to Power BI workspaces, see Tenant Admin.)

  • Application Administrator: An Application Administrator has full admin privileges within the Reporting Hub tenant. This role does not give a user administrator privileges to Azure or Power BI.

Assigning App Roles to Groups and Users

Group/user access is divided into three levels, and controlled via your Manage Groups settings. To assign permission levels for your groups/users:

  1. Select your profile picture to access the Admin Settings menu.

  2. Select Manage Groups.

  3. Select Sync Groups to ensure you're seeing the most up-to-date list of groups/users.

  4. Find the group/user whose permission level you want to assign, then select an App Role from the dropdown list.

    Enter user/group names using the search bar if you don't want to scroll through the entire directory.

You must Sync Groups to refresh your Active Directory. Changes made to your Active Directory won't be reflected in the Reporting Hub until you have synced.

App Roles

Creating Groups/Roles for New Tenants

There is an option in the global tenant settings to automatically create groups/roles for new tenants. See global tenant configuration to learn how to change this setting.

To learn how to add a new tenant, see Tenant Admin.

Automatic Group Creation

If the 'create groups/roles for new tenants' option is enabled on the global tenant, the Reporting Hub will automatically create four new groups within Active Directory when you add a new tenant. The groups will appear as follows:

  • New Tenant Name Parent Group for Reportinghub

  • New Tenant Name Admin Group for Reportinghub

  • New Tenant Name Content Admin Group for Reportinghub

  • New Tenant Name Report Users Group for Reportinghub

These groups will be empty until you assign them users within Active Directory. Within Active Directory, you can create as many new groups for your tenant as you'd like. The initial groups created can also provide a guideline for how you can structure user access. If new groups are added to your AAD (or other identity management scheme), go into your Manage Groups settings, select Sync Groups, and the new groups you've added will appear.

Manual Group Assignment

If the 'create groups/roles for new tenants' option is not enabled on the global tenant, you will have to assign pre-existing groups to your tenant as a parent group and an administrator group.

Editing an Existing Tenant's AAD Groups

If you’d prefer to assign pre-existing AAD groups to your new tenant, reselect your tenant after saving changes and make the relevant adjustments from the Edit pop-up.

For more information on managing Azure Active Directory groups, see the Microsoft Active Directory groups tutorial:

Syncing Groups Manually

When you click Sync Groups, it will Sync all groups from your authentication framework. If you do not want all groups visible in the Reporting Hub, there is a manual way to add specific user groups.

Steps for Entra ID

  1. Get your organization ID (the default org ID for your global tenant is 1). To get the organization ID for subtenants, check the Organizations table in your Reporting Hub database.

  2. Get security group IDs and names.

    1. In your Azure Portal, navigate to Entra ID.

    2. Select Groups from the left side menu.

    3. The value under the Name header will be the Group Name in the SQL template. The value under the Object Id heading will be the Azure Group Id.

  3. Update your database.

    1. Substitute your values into the SQL Template below to create your script.

    2. Run your script in your Reporting Hub database.

SQL Template

Template Variables

Organisation Id: The ID for your tenant. Your global tenant has OrganisationId = 1 by default. Data type is integer.

Azure Group Id: This is the Group Object Id as it appears in the Active Directory. Data type is string.

Group Name: This is the Group Name as it appears in the Active Directory. Data type is string.

Description: This can be whatever description you want for the group. Data type is string.

Is User: 0 for an Azure Group; 1 if adding individual users. Data type is bit (0 or 1).

Example SQL Script
INSERT INTO [dbo].[UserGroups] ([OrganisationId], [GroupAzId], [GroupName], [Description], [IsUser]) 
VALUES (1, '12345678-abcd-1234-abcd-123456789012', 'ReportingHubAdmin', 'Administrators for ReportingHub application', 0), (1, '12345678-abcd-1234-abcd-1234567890ab', 'ReportingHubCustomerA', 'Report Users Group for ReportingHub', 0)

Last updated