We have created a Unity Catalog instance on top of our Lakehouse (built entirely with Azure Databricks). We are using Power BI to develop and serve our analytics and reporting needs. I've granted the "Account Users" group the appropriate privileges for the given catalog/schema being used by Power BI (SELECT, USE SCHEMA, USE CATALOG, BROWSE, EXECUTE, and READ VOLUME) and our Azure Databricks account is linked to our Microsoft Entra, so all of our Entra users are synced to the "Account Users" group at the Account level (we use Entra authentication in Power BI). However, it seems our users cannot access the data in the Power BI reports without also being added to the Azure Databricks Workspace, which we don't want as these are non-technical users and we don't want them potentially creating their own notebooks or playing with ML experiments, etc.
Is there a way to grant access to Unity Catalog data WITHOUT giving users access to the Databricks workspace? I would think that since the metastore is managed at the Account level (as are the users who are added to the "Account Users" group which is an Account level group, not a workspace group) that granting the Account Users group access to the schema (which can be shared across multiple workspaces if those workspaces belong to the same metastore) should be sufficient, but any user who attempts to access the Power BI reports that ISN'T a member of the actual workspace receives a "Microsoft ThriftExtension(14) exception: Unauthorized/Forbidden error response". If there is a work around for this, please let me know so I can properly configure these users.