Key Concepts

Before setting up your DataCentral environment, it's important to understand the core terminology and architecture. DataCentral uses a hierarchical, multi-tenant model designed for scale and security.

1. Instance

An Instance is the top-level deployment of DataCentral. It represents the physical or logical installation of the platform.

Who manages it? The Host Administrator (typically DataCentral staff, or an Enterprise customer hosting their own instance).
What does it do? An instance manages multiple Tenants. It handles the underlying database connections, overarching security policies, and the creation of subdomains for the tenants it hosts.

2. Tenant

A Tenant is an isolated workspace within an Instance. It is a logical boundary that contains its own users, roles, reports, and settings.

Who manages it? The Tenant Administrator.
What does it do? A tenant represents a specific organization, customer, or business unit. For example, if you are a SaaS provider using DataCentral to share data with your clients, each of your clients would have their own Tenant.
Isolation: Tenants are completely isolated from one another. A user in Tenant A cannot see the users, roles, or reports in Tenant B.

3. Organizational Unit (OU)

An Organizational Unit (OU) is a structural container within a Tenant used to organize users hierarchically.

Why use OUs? OUs allow administrators to group users logically—such as by region, department, or partner company.
Integration: OUs can be directly linked to Entra ID (Azure AD) Security Groups. When a user is added to an Entra ID group, they are automatically synced into the corresponding OU in DataCentral, streamlining user management.

4. Roles

Roles define what a user is allowed to do or see within a Tenant. DataCentral uses three distinct layers of roles:

System Roles: Define administrative privileges (e.g., Tenant Admin, User Manager).
Report Roles: Define which specific Power BI reports or dashboards a user is allowed to view.
RLS Roles (Row-Level Security): Define the specific slice of data a user can see within a report (e.g., "Only show data for the EMEA region").

5. Row-Level Security (RLS)

Row-Level Security (RLS) is a mechanism that restricts data access for given users at the database row level. DataCentral extends Power BI's native RLS capabilities to make them easier to manage at scale.

Role Codes: Simple text strings assigned to users in DataCentral that map directly to RLS roles defined in Power BI Desktop.
Dynamic RLS: Uses the UserPrincipalName() function in Power BI DAX to filter data dynamically based on the logged-in user's identity.
Smart RLS: A DataCentral-specific feature that allows you to pass multiple role codes to a single dynamic role, simplifying the management of complex, large-scale data segmentation without needing to create hundreds of individual roles in Power BI.

6. Service Principals

A Service Principal is an identity created for use with applications, hosted services, and automated tools to access Microsoft Azure resources.

In DataCentral, Service Principals are used to securely authenticate with Power BI and Microsoft Graph on behalf of your users. This allows DataCentral to embed reports for users who may not have their own native Power BI Pro licenses (a concept known as "License Pooling" or "App Owns Data").

Next Steps

Now that you understand the terminology, you can learn more about How It Works or review the Subscription Tiers.

1. Instance​

2. Tenant​

3. Organizational Unit (OU)​

4. Roles​

5. Row-Level Security (RLS)​

6. Service Principals​

Next Steps​