Introduction
When you create and save a report in a business intelligence (BI) platform, the first question that usually arises is: who can see it by default? Understanding the default visibility settings is crucial for maintaining data confidentiality, complying with governance policies, and ensuring that the right stakeholders receive the insights they need. Across popular tools such as Microsoft Power BI, Tableau, Google Data Studio, and Salesforce Reports, the default access model follows a set of common principles—ownership, workspace or folder permissions, and organization‑wide sharing policies. This article breaks down those principles, explains how each platform determines default viewers, and offers practical steps to verify and adjust permissions so you can protect sensitive data while fostering collaboration Still holds up..
Why Default Permissions Matter
- Data security: Unintended exposure can lead to compliance breaches, especially with GDPR, HIPAA, or industry‑specific regulations.
- User experience: Over‑restrictive defaults may frustrate team members who need quick access to insights.
- Governance: Clear default rules simplify audit trails and make it easier to enforce corporate data policies.
By grasping who can view a saved report out of the box, you can proactively manage risk and streamline the sharing process.
General Permission Model Across BI Tools
| Platform | Owner of the Report | Default Viewers | Underlying Mechanism |
|---|---|---|---|
| Power BI | Creator (or the workspace admin) | Users who have Read access to the same workspace | Workspace security groups and role‑based access |
| Tableau | Creator (or project owner) | Users with Viewer or higher permission on the project/folder | Project permissions + site‑wide default |
| Google Data Studio | Creator (or Google Workspace admin) | Anyone with the link if the report is set to Anyone with the link can view; otherwise only explicitly added users | Sharing settings at the report level |
| Salesforce | Report creator (or folder owner) | Users who have Read access to the folder where the report resides | Folder hierarchy permissions |
While the specifics differ, the common thread is that ownership and container permissions (workspace, project, folder, or file) dictate default visibility That alone is useful..
Detailed Look at Each Platform
1. Microsoft Power BI
Ownership and Workspace Roles
- Creator automatically becomes the owner of the report.
- Reports are stored in a workspace (formerly “app workspace”).
- Workspace roles: Admin, Member, Contributor, Viewer.
Default Viewers
- By default, all members of the workspace can view the report, provided they have at least the Viewer role.
- Admins and Members can also edit, publish, or delete the report, while Contributors can edit content but not manage workspace settings.
How to Verify
- Open the workspace in Power BI Service.
- Click Settings → Permissions to see the list of users and their roles.
- The report inherits these permissions; there is no separate “report‑level” ACL unless you explicitly share it outside the workspace.
Adjusting Access
- Move the report to a different workspace with stricter permissions.
- Use App publishing to expose the report to a broader audience while keeping the underlying workspace private.
2. Tableau
Project Structure
- Tableau Server/Online organizes content into Projects, which can contain sub‑folders.
- The owner of a report (called a workbook) is the user who publishes it.
Default Viewers
- By default, only users who have at least Viewer permission on the project (or its parent) can open the workbook.
- If the project inherits site‑wide default permissions, those defaults apply.
Checking Permissions
- deal with to the workbook on Tableau Server.
- Click … → Permissions to view a matrix of users, groups, and their rights.
- Look for the “Inherit permissions from parent” checkbox to understand if the workbook follows project defaults.
Modifying Access
- Assign custom permissions directly on the workbook to override project defaults.
- Use Groups to manage permissions at scale (e.g., “Finance Analysts”).
3. Google Data Studio
File‑Level Sharing
- A report is a Google Drive file; its sharing settings follow Drive’s model.
- The creator is the owner and can set link‑based or specific‑user sharing.
Default Viewers
- When you first save a report, only the owner can view it.
- If you enable “Anyone with the link can view” during the Share dialog, the default expands to anyone who obtains the link—no sign‑in required.
Verifying Who Can See It
- Open the report, click Share → Manage access.
- Review the list under “People with access” and the link sharing status.
Controlling Access
- Switch link sharing to “Restricted” to limit viewership to explicit users.
- Add Viewer or Editor roles for specific collaborators.
4. Salesforce Reports
Folder‑Based Security
- Reports are stored in folders within the Reports tab.
- The folder owner (often a system admin) determines who can see reports inside it.
Default Viewers
- By default, any user with Read permission on the folder can view all reports inside.
- If the folder inherits “Public Reports” visibility, then all users in the org can see the report.
Checking Permissions
- Go to Reports → All Reports.
- Click the down‑arrow next to a folder and select Share.
- Review the list of users, roles, and groups with Read, Edit, or Manage rights.
Adjusting Access
- Create a private folder for sensitive reports and grant access only to required roles.
- Use Sharing Rules to automate access for new users who join a role.
Common Pitfalls and How to Avoid Them
-
Assuming “Saved” Means “Private”
- Many users think a report is hidden until they share it. In reality, saving it in a shared workspace or folder instantly grants access to everyone with that container’s permissions.
-
Overlooking Inherited Permissions
- A report may inherit read‑only rights from a parent project, but an explicit deny at the report level can override it. Always check both levels.
-
Neglecting External Sharing Settings
- In Power BI, publishing to the web creates a public URL that bypasses workspace permissions. Turn off “Publish to web” unless you truly need a public view.
-
Relying Solely on Group Membership
- If a user is removed from a group but still has direct access at the report level, they retain visibility. Conduct periodic audits of both group and direct permissions.
Step‑by‑Step Checklist to Secure a New Saved Report
- Identify the container (workspace, project, folder, or Drive file).
- Review the container’s default permissions for the intended audience.
- Confirm the owner of the report and whether ownership can be transferred if needed.
- Check for inherited permissions that may grant broader access than intended.
- Adjust sharing settings:
- Power BI: Move to a restricted workspace or publish via an app.
- Tableau: Set workbook‑level permissions or create a private project.
- Data Studio: Set link sharing to “Restricted” and add specific viewers.
- Salesforce: Place the report in a private folder and share with selected roles.
- Document the access configuration for audit purposes.
- Schedule a periodic review (quarterly or after major org changes).
Frequently Asked Questions
Q1: Can I make a saved report visible to the entire organization with one click?
- Power BI: Publish the report to an App and share the app with the whole org.
- Tableau: Set the project’s permissions to “All Users – Viewer.”
- Data Studio: Enable “Anyone with the link can view” and distribute the link widely.
- Salesforce: Store the report in the Public Reports folder.
Q2: What happens if I delete a workspace or folder?
- The reports inside are deleted permanently (or moved to a recycle bin, depending on the platform). Ensure you back up critical reports before removal.
Q3: Are there audit logs that show who has viewed a report?
- Power BI: Activity logs in the Admin portal capture view events.
- Tableau: The Usage tab provides view counts per user.
- Data Studio: Google Drive’s Version history and Activity panel show access events.
- Salesforce: Setup → Event Monitoring logs report access.
Q4: Can I set row‑level security (RLS) to limit data within a report, even if the report is visible to many users?
- Yes. All four platforms support RLS or equivalent filtering mechanisms that restrict data based on the viewer’s identity, ensuring that even if a report is broadly visible, each user only sees the rows they’re authorized to see.
Conclusion
By default, the ability to view a saved report hinges on ownership and the permissions of the container—whether it’s a Power BI workspace, Tableau project, Google Drive file, or Salesforce folder. Implement a regular audit routine, put to work row‑level security for granular control, and document every change to maintain a clear audit trail. Day to day, recognizing these default settings helps you avoid accidental data leaks, comply with governance standards, and streamline collaboration. On the flip side, always start by checking the container’s access list, verify inherited permissions, and adjust sharing settings to match the sensitivity of the data. With these practices in place, you can confidently share insights while safeguarding the information that powers your organization.
