I'm picking up my favorite topic again: Governance and Administration!
With all the Fabric announcements in the last months, some of the Admin announcements might have slipped through. As you might know, the Admin part of Fabric is dear to my heart. I've posted about it earlier here, here, here, and here, to name a few 😀.
So in the next weeks I am going to highlight a few things with short, informative posts.
Last week I wrote about the rights of the Fabric Administrator.
Today I want to make you aware of a default value of the domain settings inside Fabric.
This default value might not be the best value for you.. 😉
Domains in Fabric
A short introduction to Domains: they are essentially a way of managing and structuring your data across the organization. You can logically group together data in workspaces. A logical grouping can be business units, areas, fields, solutions or actually whatever works for you. It shouldn't be something a Fabric Admin decides on his own. Ideally business and / or enterprise architects with the data owners (if any 😐) should implement the design of domains, subdomains and owners. People from you Center of Excellence (again: if available..) would be a good fit to include in this discussion.
In case you need some help or guidance on how to set up your domains, there's a nice article that can help you get started: Best practices for planning and creating domains.
Default Domain Settings
Check your defaults! I've said it multiple times, always check default settings in your tenant, be it in the tenant settings or the domain settings.
When you create a domain (either with or without adding a domain admin explicitly), you end up with the default settings applied to that domain. Let's check what that involves.
After creating your domain and navigating to the settings you can SHOULD set the Contributors of the domain.
By default, it is set to The entire organization. I would limit it to either of the other options. Preferably tenant and domain admins, but if you have a group of people from Finance that you want to allow to add workspaces to the Finance domain, I'm happy with that too. Just don't use the default setting 😀
Luckily there's one more caveat to this that restricts it to hopefully a sligthly smaller group: the documentation points out you also have to be a workspace admin to be able to use this feature, so that limits it to people that have an admin role in the workspace.
One more reason to not give everyone the admin role in your workspace by default!
Next to that, you can also audit for these changes by checking the audit log for Fabric, specifically the UpdateDataDomainFoldersRelationsAsAdmin operation, which gives you the activities when someone assigns (or unassigns) a workspace to/from a domain.
Conclusion
Domains give you a good option to manage and group the content in your organization.
Just be aware of the default settings when you create one. Set the contributors to the tenant and domain admins, or a security group, just don't use the default!
Let me know what you think, have you seen this default setting and more importantly, did you change it in any of your domains?
Thanks
ReplyDelete