Self-Service BI with Enterprise Controls
The governance playbook for enabling data democratization without sacrificing security, accuracy, or compliance.
Self-service BI fails without governance controls. Ungoverned Power BI deployments create data sprawl, security exposure, compliance violations, and decisions made on wrong data. This guide covers the Power BI governance framework, workspace strategy, data certification, sensitivity labels, Center of Excellence, and BI maturity model that EPC Group implements for Fortune 500 clients.
Key Facts
- Ungoverned self-service BI is the single most common cause of "which number is right?" data disputes.
- Power BI certified datasets establish one trusted source of truth shared across all reports.
- Microsoft Purview sensitivity labels persist across Power BI, Excel exports, and Teams — closing the export gap.
- The CoE (Center of Excellence) Starter Kit is a free Microsoft tool that inventories all Power BI apps, datasets, and makers.
- EPC Group has completed 6,500+ Power BI deployments and 29 years of Microsoft consulting engagements.
Self-Service BI with Enterprise Controls: The Governance Playbook
Quick Answer: Balance self-service BI with enterprise governance using a four-tier model:
- Personal workspaces for unrestricted exploration
- Team workspaces for governed collaboration
- Department workspaces requiring certified datasets
- Enterprise workspaces with IT-managed pipelines and full audit trails
Combine this model with data certification, sensitivity labels, workspace naming conventions, and a Center of Excellence that enables rather than restricts. This framework provides business users with the speed they need while ensuring that production analytics meet security, accuracy, and compliance requirements.
Every enterprise analytics leader faces a common challenge. Business users want to create their own reports immediately. Meanwhile, IT and compliance teams require control over data access, accuracy, and security.
Finding the right balance is crucial. If you lean too much toward self-service, you risk:
- Data sprawl
- Conflicting numbers in board meetings
- HIPAA violations from unclassified exports
On the other hand, if you focus too much on centralized control, you may encounter:
- A six-week backlog for every new report
- Shadow analytics in Excel
- Frustrated business leaders questioning their investment in Power BI
Neither extreme is effective. Successful organizations in enterprise analytics adopt a balanced approach. They develop a framework that enables business users to explore data freely. At the same time, they maintain guardrails to protect the business.
EPC Group has developed this framework for Fortune 500 organizations in:
- Healthcare
- Financial services
- Government
This guide provides the complete playbook.
If you are evaluating Power BI consulting partners to implement governance at scale, or you need to build a data governance Center of Excellence, this guide will give you the architecture and decision framework to do it right.
The Self-Service vs. Governance Paradox
The paradox is real and measurable. In our experience with hundreds of enterprise Power BI deployments, we found that:
- Organizations that restrict analytics too much see adoption rates below 20%. This means 80% of licensed users go back to spreadsheets, emails, and tribal knowledge.
- Organizations that allow self-service without governance often discover 30-40% redundant datasets within 18 months.
- These organizations also face at least one security incident involving sensitive data shared outside the organization.
Many organizations see self-service and governance as opposing forces. They think that more self-service means less governance, and the other way around. This view is incorrect. Self-service and governance are not a trade-off. They are complementary capabilities that should be developed together.
Over-Governed
- ✗6-week backlog for new reports
- ✗Under 20% user adoption
- ✗Shadow analytics in Excel and email
- ✗Business units bypass IT entirely
- ✗Premium licenses wasted
Ungoverned
- ✗30-40% redundant datasets
- ✗Conflicting numbers in board meetings
- ✗Sensitive data shared externally
- ✗No audit trail for compliance
- ✗Premium capacity consumed by sprawl
The governed self-service model resolves this paradox by defining clear tiers of freedom, each with appropriate controls. Business users get the agility they need at the tier that matches their use case, and IT retains visibility and control over what reaches production.
Why Ungoverned Self-Service Fails
Organizations that deploy Power BI without a governance framework typically experience five failure modes within the first 12-18 months. These are not theoretical risks — they are patterns we have observed repeatedly across industries.
Data Sprawl and Duplication
Without governance, every analyst builds their own dataset. A 500-person organization can accumulate 200+ datasets for the same subject area, each with slightly different transformation logic. One financial services client we onboarded had 47 different "revenue" datasets across Power BI, none of which matched the official GL. Premium capacity costs were 3x what they should have been simply from duplicate data refreshes.
Security and Compliance Exposure
Self-service means business users connect to data sources and share results. Without sensitivity labels and DLP policies, a healthcare analyst can export patient data to an unencrypted Excel file and email it to an external vendor. In regulated industries — healthcare, financial services, government — this is not just a policy violation, it is a regulatory event. We have seen organizations face audit findings specifically because self-service BI exports were not classified or tracked.
Decision Quality Degradation
When leadership reviews a dashboard in a Monday meeting and the numbers differ from the spreadsheet the CFO prepared on Friday, trust collapses. Ungoverned self-service creates multiple versions of truth. The root cause is usually transformation logic: one analyst filters out returns, another includes them; one uses fiscal calendar, another uses calendar year. Without certified datasets, there is no authoritative answer to "which number is right?"
Invisible Shadow Analytics
When IT governance is too slow, departments build their own data pipelines. Marketing sets up a direct SQL connection. Sales builds an Access database. Operations uses a Python script on a shared drive. These shadow systems are invisible to IT, unaudited, and fragile. When the person who built them leaves, the organization loses both the analytics and any understanding of how they worked.
Capacity and Cost Overruns
Ungoverned environments consume Premium capacity unpredictably. A single poorly optimized dataset with a 15-minute refresh schedule can throttle an entire P1 capacity during business hours. Without workspace-to-capacity mapping and refresh scheduling governance, capacity costs grow linearly with user adoption rather than scaling efficiently.
The Governed Self-Service Model: Four Tiers
The EPC Group's self-service model organizes analytics activities into four distinct tiers. Each tier has a specific purpose, defined permissions, and suitable controls.
The key insight is that governance intensity varies based on audience size and decision impact:
- Personal exploration requires minimal governance.
- Enterprise KPI dashboards need strict controls.
Tier 1: Personal Exploration
Every licensed user gets a personal workspace for ad-hoc analysis and learning. There are no restrictions on data connections, transformations, or visualization choices. This is the sandbox — the place where analysts experiment, prototype, and learn Power BI without fear of breaking anything. Content in personal workspaces is never shared beyond the owner. No certification required. No review process. The only guardrail is that personal workspace content cannot be published to apps or shared with external users. This tier is critical because it removes the objection that governance kills creativity. Analysts have complete freedom — just not in production.
Tier 2: Team Collaboration
When an analyst builds something useful in their personal workspace, they promote it to a team workspace for small-group collaboration. Team workspaces require Azure AD security group membership for access. Datasets should be marked as Promoted (the first level of endorsement). Naming conventions apply, but full certification is not yet required. Teams of 5-15 people use these workspaces to iterate on analytics that may eventually reach department or enterprise level. The team workspace is where peer review happens organically — colleagues spot calculation errors, suggest improvements, and validate business logic before content moves up.
Tier 3: Department Reporting
Department workspaces serve official departmental reporting needs. Content here must be built on Certified datasets — datasets that have passed the organization certification criteria including documented data sources, verified refresh schedules, applied row-level security, and assigned data steward ownership. Access is managed through department-level security groups. Reports are published via Power BI apps with read-only access for consumers. Sensitivity labels are mandatory. This tier serves the CFO reviewing finance dashboards, the VP of Sales tracking pipeline, and the CHRO monitoring workforce analytics.
Tier 4: Enterprise Dashboards
Enterprise workspaces contain organization-wide KPIs, executive dashboards, and compliance reporting. IT manages the full data pipeline: ingestion, transformation, modeling, and visualization. Datasets are Certified with additional IT review. Row-level security, object-level security, and sensitivity labels are all enforced. Content runs on dedicated Premium capacity with monitored SLAs. Changes follow a dev-test-prod promotion process. This tier produces the numbers that go to the board, regulators, and external stakeholders — accuracy and auditability are non-negotiable.
Power BI Governance Framework
A governance framework is not a document that sits in SharePoint — it is a living system of policies, technical controls, and organizational behaviors. EPC Group governance frameworks cover six domains, each with specific configurations in the Power BI admin portal and supporting Microsoft 365 services.
Tenant Settings
- Restrict external sharing to approved domains
- Disable export to unmanaged file types
- Require sensitivity labels for published content
- Control who can publish to web (block for regulated orgs)
- Configure Azure AD conditional access for Power BI
Data Source Governance
- Approved data source registry maintained by CoE
- Gateway management with certified connectors
- Connection credentials stored in Azure Key Vault
- Prohibited direct SQL connections from desktop to production
- Dataflow templates for common source patterns
Content Lifecycle
- Dev-Test-Prod deployment pipelines for enterprise content
- Automated workspace archival after 90 days of inactivity
- Version history maintained for certified datasets
- Change approval workflow for production modifications
- Rollback procedures documented and tested quarterly
Access Management
- Azure AD security groups for all workspace access
- No individual user assignments in production workspaces
- Row-level security validated quarterly by data stewards
- Service principal accounts for automated processes
- Just-in-time access for break-glass scenarios
Monitoring and Compliance
- Activity log export to Azure Log Analytics
- Weekly adoption dashboards reviewed by CoE
- Automated alerts for unusual sharing patterns
- Quarterly access reviews with workspace owners
- Compliance reports for HIPAA, SOC 2, and GDPR audits
Training and Enablement
- Onboarding program for new Power BI users
- Monthly office hours with CoE experts
- Template library with pre-built certified patterns
- Self-paced learning paths by role (consumer, creator, admin)
- Annual governance awareness training for all users
Data Certification and Endorsement
Data certification is the most important governance control in Power BI. It addresses the "which number is right?" issue by creating an official source for each business area.
Power BI offers two endorsement levels. EPC Group suggests using both levels with clearly defined criteria:
- Level 1: Basic endorsement for initial validation.
- Level 2: Advanced endorsement for comprehensive approval.
The Promoted endorsement is used by dataset owners when their dataset is ready for wider use within a team or department. It signals that the owner supports the data and confirms its accuracy for their use case.
The Certified endorsement is given by the governance team, usually CoE data stewards, after a formal review. Certification indicates that the dataset meets organizational quality standards, including:
- Documented sources
- Verified transformations
- Reliable refresh schedule
- Applied RLS
- An assigned owner responsible for ongoing accuracy
Certification Criteria Checklist
Based on our experience, organizations that seek certification see a noticeable change in behavior within 90 days. Report creators start using certified datasets instead of creating their own copies.
This shift leads to:
- A leveling off of the number of active datasets.
- A decline in duplicates as they are removed.
Most importantly, leadership's confidence in analytics data grows. This is due to a verifiable link from the source to the dashboard.
Workspace Governance Strategy
Workspace design is the structural foundation of Power BI governance. Each workspace type serves a specific purpose, with permissions and controls calibrated to the content’s audience and impact.
| Workspace Type | Scope | Permissions | Certification | Sharing | Capacity |
|---|---|---|---|---|---|
| Personal | Individual exploration | Owner only | Not required | Not shared externally | Shared / Pro |
| Team | Small group collaboration | Security group (5-15 members) | Promoted | Internal team only | Shared / Pro |
| Department | Department-wide reporting | Security group (dept-level) | Certified required | Department + approved stakeholders | Premium Per User or Capacity |
| Enterprise | Organization-wide KPIs | IT-managed, RBAC enforced | Certified + IT review | Org-wide via apps, read-only | Premium Capacity (dedicated) |
Workspace naming conventions might appear to be just rules, but they are vital for large organizations. For companies with over 500 workspaces, clear names are essential. They help identify ownership, environment, and purpose. This clarity can save hours during audits and incidents.
EPC Group recommends the naming pattern: Department-Environment-Purpose. Examples include:
Finance-Prod-RevenueMarketing-Dev-CampaignAnalytics
Enforce this pattern using admin API policies that reject names that do not conform.
Sensitivity Labels and Data Loss Prevention
In regulated industries, sensitivity labels are not optional — they are a compliance requirement. Microsoft Purview sensitivity labels integrate natively with Power BI, extending information protection from Microsoft 365 into the analytics layer. When a sensitivity label is applied to a Power BI dataset, that classification persists through every downstream artifact: reports built on the dataset, exports to Excel or PDF, and even screenshots captured through the mobile app.
The practical impact is significant. A dataset labeled "Highly Confidential — PHI" will:
- Automatically encrypt any Excel export.
- Restrict sharing to internal users only.
- Generate an audit event when any user accesses the content.
When combined with DLP policies in Purview, organizations can prevent sensitive analytics content from leaving the organization. This control is specifically requested by auditors and regulators during HIPAA and SOC 2 assessments.
Public
Non-sensitive analytics. Open sharing permitted. No export restrictions. Used for marketing metrics, public website analytics, and general industry benchmarks.
Confidential
Internal business data. Sharing restricted to organization. Exports require sensitivity label inheritance. Used for financial reports, sales pipeline, HR analytics.
Highly Confidential
Regulated or sensitive data. Sharing to named individuals only. Exports encrypted automatically. Full audit trail. Used for PHI, PII, financial PCI data, legal matters.
EPC Group uses sensitivity labels in a unified information protection strategy across Microsoft 365, Power BI, and Azure. This approach ensures consistent data classification for users. Whether viewing a report in Power BI, exporting to Excel, or sharing a file in Teams, the classification remains the same.
The classification follows the data, not the container.
Monitoring and Usage Analytics
Governance without monitoring is just policy without enforcement. Power BI offers detailed activity logging and usage metrics. However, many organizations do not use these tools effectively.
EPC Group creates monitoring dashboards that track four key categories of governance health. These dashboards are reviewed weekly by the CoE and monthly by executive sponsors.
Adoption Metrics
- Active users by department and role (creator vs. consumer)
- Report views per week with trend analysis
- Percentage of users building on certified vs. uncertified datasets
- New workspace creation rate and compliance with naming conventions
- Training completion rates by role
Governance Compliance
- Percentage of datasets with assigned owners
- Sensitivity label coverage across all workspaces
- Workspaces with individual (non-group) permissions flagged
- Datasets without refresh schedules or with failed refreshes
- External sharing events by data classification level
Performance and Capacity
- Premium capacity utilization by workspace tier
- Report render times exceeding 5-second SLA
- Dataset refresh duration trends and failure rates
- Capacity throttling events with root cause analysis
- Cost per user by department for capacity allocation
Security and Risk
- Publish to web events (should be zero in regulated orgs)
- Export events for Highly Confidential content
- Admin role assignments and changes
- External user access patterns
- Anomalous activity alerts (bulk exports, unusual access times)
The activity log data is exported to Azure Log Analytics for long-term retention and cross-correlation with other Microsoft 365 security signals. This is not optional for organizations with compliance requirements — HIPAA and SOC 2 auditors expect evidence that data access is monitored and anomalies are investigated.
Building a Center of Excellence
A Center of Excellence (CoE) is essential for making governed self-service sustainable. Without a CoE, governance relies on the IT team to remember policies. This approach may work for a few months but often fails as priorities change.
A CoE strengthens governance by:
- Assigning dedicated roles
- Defining repeatable processes
- Measuring outcomes
The main design principle for a successful CoE is to enable rather than restrict. If users perceive the CoE as a barrier that slows down analytics delivery, they will seek ways to bypass it. In contrast, if they see the CoE as a resource that helps them produce better analytics more quickly, adoption will increase naturally.
EPC Group CoE engagements focus on this enablement-first approach from the start.
Executive Sponsor
Secures budget and organizational alignment. Resolves cross-departmental conflicts. Champions data-driven culture at the leadership level. Typically a CIO, CDO, or VP of Analytics.
Governance Lead
Defines and maintains governance policies. Manages tenant settings and admin configurations. Leads quarterly governance reviews. Reports governance health metrics to the executive sponsor.
Data Stewards (per domain)
Certify datasets within their business domain. Validate transformation logic and data quality. Serve as the first escalation point for data questions. Maintain data dictionaries and lineage documentation.
Power BI Champions (per department)
Department-level experts who support local users. Conduct peer reviews before content moves to department or enterprise tiers. Identify training needs and relay them to the CoE. Bridge between business requirements and technical implementation.
Training Coordinator
Manages onboarding program for new users. Maintains self-paced learning paths by role. Organizes monthly office hours and quarterly workshops. Tracks training completion and correlates with adoption metrics.
EPC Group helps organizations stand up a fully operational CoE in 8-12 weeks. This includes charter development, role assignments, initial policy creation, template library buildout, and the first round of dataset certification. The data governance CoE enablement guide covers the detailed methodology.
Self-Service BI Governance Maturity Model
Use this maturity model to assess your organization’s current state and plan the path forward. Most enterprises engage EPC Group at Level 2-3 and reach Level 4 within six months of structured governance implementation.
| Level | Stage | Characteristics | Risks | Actions to Advance |
|---|---|---|---|---|
| 1 | Ad Hoc | Spreadsheets dominate. Individual users create isolated reports. No shared datasets. No naming standards. | Conflicting numbers in leadership meetings. No single source of truth. Zero audit trail. | Executive sponsor identified. Power BI pilot launched with 2-3 departments. Basic training deployed. |
| 2 | Reactive | Power BI adopted organically. 50+ workspaces with no naming convention. Multiple copies of same dataset. Ad-hoc sharing via links. | Data sprawl consuming Premium capacity. Sensitive data shared externally. IT unable to audit usage. | Workspace naming convention enforced. Dataset inventory completed. Sharing policies tightened in tenant settings. |
| 3 | Defined | Governance policies documented. Certification process established. Training program available. Workspace access uses security groups. | Policies exist but enforcement is manual. Compliance gaps during audits. Champion network underdeveloped. | Automated policy enforcement via admin APIs. CoE charter approved. Sensitivity labels pilot launched. |
| 4 | Managed | CoE fully operational. 70%+ reports built on certified datasets. Sensitivity labels enforced. Automated monitoring dashboards. DLP policies active. | Governance overhead slows innovation if not balanced. CoE becomes bottleneck without self-service enablement focus. | Self-service enablement metrics tracked alongside governance metrics. Template library expanded. Advanced training for power users. |
| 5 | Optimized | Self-service and governance fully balanced. Predictive usage analytics. Data literacy in performance reviews. Continuous improvement culture. | Complacency — maintain investment in training, tooling, and standards evolution as Power BI capabilities change. | AI-driven anomaly detection on data quality. Cross-org benchmarking. Governance framework evolves with each Power BI monthly release. |
Frequently Asked Questions
How do you balance self-service BI with enterprise governance?
Balance self-service BI with enterprise governance using a tiered model: Tier 1 (Personal) allows unrestricted exploration in personal workspaces, Tier 2 (Team) enables governed sharing within departments, Tier 3 (Department) requires certified datasets and review, and Tier 4 (Enterprise) mandates IT-managed pipelines with full audit trails. This approach gives business users freedom to explore data while ensuring production reports meet security, accuracy, and compliance standards. EPC Group implements this framework using Power BI workspace policies, sensitivity labels, and endorsement certification.
What is a Power BI governance framework?
A Power BI governance framework is a structured set of policies, roles, and technical controls that manage how data is accessed, shared, and published across the organization. It typically includes: workspace naming conventions and access policies, dataset certification and endorsement processes, row-level security (RLS) standards, sensitivity labels for data classification, tenant settings that control sharing and export, and monitoring dashboards that track adoption and compliance. EPC Group builds governance frameworks that scale from 50 to 50,000 users without creating bottlenecks.
What are the risks of ungoverned self-service BI?
Ungoverned self-service BI creates five critical risks: 1) Data sprawl — hundreds of duplicate datasets consuming Premium capacity and creating conflicting numbers, 2) Security exposure — sensitive data shared via ad-hoc links without classification, 3) Compliance violations — HIPAA, SOC 2, or GDPR breaches from uncontrolled data exports, 4) Decision errors — business leaders making decisions on uncertified, potentially incorrect data, 5) Shadow analytics — departments building parallel data pipelines that IT cannot audit or support. Organizations with 500+ Power BI users typically have 30-40% redundant datasets before governance is applied.
How do you implement data certification in Power BI?
Power BI data certification uses a two-tier endorsement system: Promoted (dataset owner marks it as ready for broader use) and Certified (governance team validates accuracy, documentation, and refresh reliability). Implementation requires: 1) Define certification criteria (data source documented, refresh schedule verified, RLS applied, owner assigned), 2) Configure tenant settings to restrict who can certify, 3) Create a certification request workflow (typically via Forms or ServiceNow), 4) Build a certified dataset registry visible to all users, 5) Train users to build reports only from certified datasets for official reporting. EPC Group certification programs typically reduce duplicate datasets by 40-60%.
What is a BI Center of Excellence (CoE)?
A BI Center of Excellence is a cross-functional team that establishes standards, provides training, and governs analytics across the enterprise. A mature CoE includes: governance lead (defines policies), data stewards (certify datasets), Power BI champions (department-level experts), training coordinator (onboarding and skill development), and executive sponsor (ensures organizational alignment). The CoE does not centralize all report building — it enables self-service by providing certified datasets, templates, best practices, and escalation paths. EPC Group helps organizations stand up CoEs in 8-12 weeks with defined charters, toolkits, and KPIs.
How do sensitivity labels work with Power BI?
Microsoft Purview sensitivity labels extend to Power BI through Microsoft Information Protection integration. Labels like Confidential, Highly Confidential, and Public are applied to datasets, reports, and dashboards. When applied, labels: 1) Persist when data is exported to Excel, PDF, or PowerPoint, 2) Control who can access and share content, 3) Apply encryption to exported files automatically, 4) Enable DLP policies that prevent sensitive data from being shared externally, 5) Provide audit trails showing who accessed classified content. Labels are configured in the Microsoft Purview compliance portal and enforced across Power BI Desktop, Service, and mobile apps.
What does a self-service BI maturity model look like?
Self-service BI maturity progresses through five levels: Level 1 (Ad Hoc) — no governance, spreadsheet-driven, individual silos. Level 2 (Reactive) — basic Power BI adoption, no standards, growing data sprawl. Level 3 (Defined) — workspace policies established, certification process in place, training available. Level 4 (Managed) — CoE operational, automated monitoring, sensitivity labels enforced, 70%+ reports from certified datasets. Level 5 (Optimized) — self-service and governance fully balanced, predictive monitoring, continuous improvement culture, data literacy embedded in performance reviews. Most enterprises operate at Level 2-3 when they engage EPC Group, and reach Level 4 within 6 months.
How do you govern Power BI workspaces at enterprise scale?
Enterprise workspace governance requires four layers: 1) Naming conventions — enforce department-environment-purpose naming (e.g., Finance-Prod-Revenue), 2) Access control — use Azure AD security groups for workspace roles (Admin, Member, Contributor, Viewer), never assign individuals directly, 3) Lifecycle management — archive inactive workspaces after 90 days of no activity, auto-notify owners at 60 days, 4) Capacity assignment — map workspaces to appropriate Premium capacities based on criticality and usage patterns. EPC Group deploys Power BI admin APIs and PowerShell automation to enforce these policies across environments with 500+ workspaces.
Ready to Implement Governed Self-Service BI?
EPC Group helps Fortune 500 organizations balance self-service analytics with enterprise governance. Our governance frameworks scale from 50 to 50,000 users without creating bottlenecks.
Self-Service BI with Governance Controls: The Enterprise Playbook
Self-service BI needs governance controls to succeed. Without them, Power BI deployments can lead to data sprawl, security risks, compliance issues, and decisions based on incorrect data.
This guide outlines the following key components of the Power BI governance framework that EPC Group uses for Fortune 500 clients:
- Workspace strategy
- Data certification
- Sensitivity labels
- Center of Excellence
- BI maturity model
Key facts
- Ungoverned self-service BI is the single most common cause of "which number is right?" data disputes.
- Power BI certified datasets establish one trusted source of truth shared across all reports.
- Microsoft Purview sensitivity labels persist across Power BI, Excel exports, and Teams — closing the export gap.
- The CoE (Center of Excellence) Starter Kit is a free Microsoft tool that inventories all Power BI apps, datasets, and makers.
- EPC Group has completed 6,500+ Power BI deployments and 29 years of Microsoft consulting engagements.
The five risks of ungoverned self-service BI
Ungoverned self-service BI creates five recurring problems in enterprise environments:
- Data sprawl — hundreds of duplicate datasets consuming Premium capacity and showing conflicting numbers.
- Security exposure — sensitive data shared via ad-hoc links without sensitivity classification.
- Compliance violations — HIPAA, SOC 2, or GDPR breaches from uncontrolled data exports.
- Decision errors — business leaders making decisions on uncertified, potentially incorrect data.
- Shadow analytics — departments building parallel data pipelines that IT cannot audit or support.
The governance framework: four layers
Layer 1: Certified datasets
Certified datasets are essential for governed self-service BI. Each certified dataset acts as the single source of truth for a specific business domain, such as:
- Finance
- Sales
- HR
All reports should reference the certified dataset instead of using ad-hoc extracts.
EPC Group's certification process:
- Define certification criteria — data source documented, refresh schedule verified, RLS applied, owner assigned.
- Configure tenant settings to restrict who can certify datasets.
- Create a certification request workflow (via Forms or ServiceNow).
- Build a certified dataset registry visible to all business users.
- Train report authors on finding and using certified datasets before building new ones.
Layer 2: Workspace governance
Enterprise workspace governance requires four controls:
- Naming conventions — enforce department-environment-purpose naming (e.g., Finance-Prod-Revenue).
- Access control — use Azure AD security groups for workspace roles (Admin, Member, Contributor, Viewer). Never assign individuals directly.
- Lifecycle management — archive inactive workspaces after 90 days of no activity. Auto-notify owners at 60 days.
- Capacity assignment — map workspaces to Premium capacities based on criticality and usage patterns.
Layer 3: Sensitivity labels and data protection
Microsoft Purview sensitivity labels applied in Power BI persist when data is exported to Excel, PDF, or Teams. This closes the most common compliance gap in self-service BI — the Excel export that strips all governance context.
- Apply labels at the dataset level — all reports inheriting from the dataset carry the same label.
- Block export of Confidential or Highly Confidential data to unapproved channels.
- Use DLP policies to detect and alert on unprotected sensitive data in Power BI.
- Review label coverage monthly via Purview Content Explorer.
Layer 4: Center of Excellence (CoE)
The Power BI CoE is the team and toolset that governs self-service analytics across the organization. The free Microsoft CoE Starter Kit provides:
- Full inventory of all Power BI apps, reports, datasets, and makers.
- Usage analytics — which reports are used, which are abandoned.
- Orphaned resource alerts — datasets with no active reports, reports with no viewers.
- Sensitivity label coverage tracking.
- Maker activity and training completion dashboards.
BI maturity model
EPC Group assesses Power BI maturity across five levels:
- Level 1 — Ad-hoc — individual analysts build local reports. No sharing, no governance.
- Level 2 — Managed — reports published to Power BI Service. Workspaces exist but naming conventions are inconsistent.
- Level 3 — Standardized — certified datasets established. Sensitivity labels deployed. CoE Starter Kit installed.
- Level 4 — Advanced — deployment pipelines govern dataset promotion. RLS and OLS enforced on all sensitive datasets. Maker onboarding required.
- Level 5 — Optimized — Fabric F-SKU with Direct Lake. AI-powered anomaly detection and Copilot analytics. Full EU AI Act and compliance coverage.
Row-level security and object-level security
Row-level security (RLS) limits the rows a user can view in a shared Power BI report. Object-level security (OLS) hides entire tables or columns. Both types of security are applied on the server side at the semantic model layer.
- RLS and OLS in Power BI Premium and Fabric F-SKU are the most-overlooked compliance control in HIPAA, SOC 2, and FINRA environments.
- Configure RLS using DAX filter expressions on role definitions.
- Use dynamic RLS to filter based on the logged-in user's identity — no static role assignments needed at scale.
- Audit RLS and OLS configurations quarterly as part of the compliance review cycle.
Frequently asked questions
What is a Power BI certified dataset?
A certified dataset is a Power BI semantic model. It has been reviewed and approved by your data team as a trusted source of truth. This dataset is marked with a Certified badge in the Power BI Service.
Other report authors should build from certified datasets instead of creating new extracts. This approach ensures consistency and reliability in reporting.
What is the Power BI CoE Starter Kit?
The CoE Starter Kit is a free solution from Microsoft that you can install in your Power BI tenant. It offers:
- An inventory of all reports, apps, datasets, and makers
- Usage analytics
- Alerts for orphaned resources
- Compliance dashboards
This kit is the essential starting point for every Power BI governance program.
What is row-level security in Power BI?
Row-level security (RLS) controls which rows of data a user can access in a shared Power BI report. This security measure is enforced on the server side. Users cannot bypass it by exporting data or using the XMLA endpoint without the right permissions.
RLS is essential for any shared report that includes:
- sensitive personal data
- financial information
How long does Power BI governance implementation take?
Basic governance, which includes certified datasets, sensitivity labels, and workspace conventions, takes 4–6 weeks to implement. A full Center of Excellence (CoE) deployment, featuring Row-Level Security (RLS), Object-Level Security (OLS), a Starter Kit, and maker onboarding, requires 8–12 weeks.
Ongoing managed services ensure that governance remains up to date with Microsoft’s quarterly updates.
What is the difference between RLS and OLS in Power BI?
Row-level security (RLS) limits the rows a user can view based on their identity or role. Object-level security (OLS) restricts access to entire tables or columns.
Both RLS and OLS are configured in the semantic model and enforced on the server side.
Use OLS when you need to completely hide certain fields from specific roles. Examples of such fields include:
- Salary
- Social Security Number (SSN)
- Diagnosis codes
Schedule a consultation
EPC Group implements Power BI governance frameworks for Fortune 500 and regulated-industry organizations. Call (888) 381-9725 or request a discovery call to assess your current BI maturity level.