Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

View all the Fabric Data Days sessions on demand. View schedule

Reply
NorahTran97
Frequent Visitor

Grant semantic model access to end users

‎09-16-2025 03:31 PM

My scenario as below

  • Workspace A
    • Dataset1 + Report1
    • Dataset2 + Report2
  • Workspace B
    • Report3 → uses Dataset1 + Dataset2 from Workspace A
    • I did not explicitly grant users access to Dataset1 or Dataset2
  • Issue 1: Internal users can see data from Dataset1 but not Dataset2
  • Issue 2: some of internal users are auto granted access to Dataset1 but some don’t

I don’t understand why there are inconsistencies like the two issues above. My expectation was that whenever I share a report built on semantic models with end users, I would need to grant them at least Read permission on the underlying dataset to allow them to view the report. However, in my situation, some reports work without explicitly granting dataset permissions, while others require it.

Labels:
Message 1 of 7
475 Views
1 ACCEPTED SOLUTION
Poojara_D12
Super User
Super User

‎09-18-2025 09:49 PM

Hi @NorahTran97 

What you’re observing comes down to how Power BI enforces dataset permissions when reports are built on semantic models across workspaces, and why it sometimes feels inconsistent. By design, whenever you share a report that relies on a dataset, the end user must also have at least Read access to that underlying dataset, otherwise the report cannot render. However, there are scenarios where access can be inherited or implicitly granted. For example, if a dataset resides in a workspace backed by Premium capacity and the report is shared through an app or has “Build” permission exposed, some users may be able to view data without you explicitly assigning dataset permissions. This explains why some of your internal users are able to see Dataset1 automatically. Dataset2, on the other hand, likely does not have those same conditions (e.g., no implicit Build permissions, different workspace settings, or stricter security like RLS), so access must be explicitly granted. The inconsistency arises because access behavior depends on a mix of factors: whether the dataset and report live in the same or different workspaces, whether the workspace is Premium, how the report was shared (directly, via app, or link), and whether users already have implicit permissions. In short, your original expectation is correct—best practice is to always grant users Read (and Build, if needed) on any dataset that underpins a shared report to avoid these unpredictable access differences.

 

Did I answer your question? Mark my post as a solution, this will help others!
If my response(s) assisted you in any way, don't forget to drop me a "Kudos"

Kind Regards,
Poojara - Proud to be a Super User
Data Analyst | MSBI Developer | Power BI Consultant
Consider Subscribing my YouTube for Beginners/Advance Concepts: https://youtube.com/@biconcepts?si=04iw9SYI2HN80HKS

View solution in original post

Message 7 of 7
331 Views
6 REPLIES 6
Poojara_D12
Super User
Super User

‎09-18-2025 09:49 PM

Hi @NorahTran97 

What you’re observing comes down to how Power BI enforces dataset permissions when reports are built on semantic models across workspaces, and why it sometimes feels inconsistent. By design, whenever you share a report that relies on a dataset, the end user must also have at least Read access to that underlying dataset, otherwise the report cannot render. However, there are scenarios where access can be inherited or implicitly granted. For example, if a dataset resides in a workspace backed by Premium capacity and the report is shared through an app or has “Build” permission exposed, some users may be able to view data without you explicitly assigning dataset permissions. This explains why some of your internal users are able to see Dataset1 automatically. Dataset2, on the other hand, likely does not have those same conditions (e.g., no implicit Build permissions, different workspace settings, or stricter security like RLS), so access must be explicitly granted. The inconsistency arises because access behavior depends on a mix of factors: whether the dataset and report live in the same or different workspaces, whether the workspace is Premium, how the report was shared (directly, via app, or link), and whether users already have implicit permissions. In short, your original expectation is correct—best practice is to always grant users Read (and Build, if needed) on any dataset that underpins a shared report to avoid these unpredictable access differences.

 

Did I answer your question? Mark my post as a solution, this will help others!
If my response(s) assisted you in any way, don't forget to drop me a "Kudos"

Kind Regards,
Poojara - Proud to be a Super User
Data Analyst | MSBI Developer | Power BI Consultant
Consider Subscribing my YouTube for Beginners/Advance Concepts: https://youtube.com/@biconcepts?si=04iw9SYI2HN80HKS
Message 7 of 7
332 Views
v-tsaipranay
Community Support
Community Support

‎09-18-2025 08:58 PM

Hi @NorahTran97 ,

Thank you for reaching out to the Microsoft fabric community forum and thank you @lbendlin for your helpful resposne.

Thank you for the additional details. When sharing through the app with organization-wide access, users need to have the app installed and registered. If your tenant admin hasn’t enabled auto app installation, each user must open both apps at least once to complete registration; otherwise, access to datasets may not be consistent.

To ensure consistent access:

  • Check with your Power BI tenant admin if auto app installation is enabled. If not, share direct links to both apps so users can install them as needed.
  • It’s also a good idea to assign Read permission on the semantic models (datasets) directly to your audience, so they don’t have to rely on app registration.

Surge protection is managed at the capacity level by your admin and usually doesn’t affect dataset permissions, but the admin can check capacity settings to confirm everything is set up correctly.

These steps will help ensure all users can reliably access reports based on shared datasets.
Please review the following documentation for more detailed information and a clearer understanding: 
Semantic model permissions - Power BI | Microsoft Learn

Manage semantic model access permissions - Power BI | Microsoft Learn

Hope this helps. Please feel free to rech out for any further questions.


Thank you .

 

Message 5 of 7
349 Views
0
NorahTran97
Frequent Visitor
In response to v-tsaipranay

‎09-18-2025 09:31 PM

Hi, @v-tsaipranay 

Thanks for your response.

Issue 1:  Internal users can see data from Dataset1 but not Dataset2

Now I understand the situation. Basically, they need to open the direct link to both Dataset1 and Dataset2 to complete registration. Once that’s done, when I share Report3 (which uses both datasets), end users can view it. It’s clear now.

 

Issue 2: Some internal users are auto-granted access to Dataset1, while others are not.

Let me explain: I created another report (Report4) using Dataset1, so the report and dataset belong to two different workspaces. From my understanding (see the below link), I need to share permissions on the semantic model (Dataset1) to allow end users to view Report4. However, in my case, I didn’t explicitly grant dataset permissions, yet a few users are still able to see Report4.

Could it be that because Report1 (which also uses Dataset1 in the same workspace) was shared with some users, they were automatically granted access to Dataset1? Then, when I share Report4, only users who already had access to Report1 can view it, while others who never had access to Dataset1 cannot view Report4.

 

Thank you!
link: Use composite models in Power BI Desktop - Power BI | Microsoft Learn

Message 6 of 7
340 Views
0
NorahTran97
Frequent Visitor

‎09-16-2025 06:45 PM

- Are you sharing via the workspace or the app? -->  sharing via app

- Are you allowing reshare? --> No

- Are you sharing to individuals or distribution lists? --> At the “Audience” step when sharing the app, I selected Grant access to “Entire Organization.”

- How long has this been in use, was it previously owned by someone else? --> Just started using the app and sharing via the app; previously, I mainly shared the report only.

- Are these workspaces in the same capacity? --> yes, all same

- Do you have Surge protection enabled on that capacity? --> Not sure how to check this

Message 3 of 7
403 Views
0
lbendlin
Super User
Super User
In response to NorahTran97

‎09-16-2025 07:17 PM

I wouldn't share to "Entire Organization" but that's up to you.

- Has your tenant admin enabled auto app installation?  If not then your report users must "install" (register) BOTH apps for this to work.  Ie they must have clicked on BOTH app links once.

Message 4 of 7
395 Views
0
lbendlin
Super User
Super User

‎09-16-2025 05:51 PM

Lots of things to unpack here. 

- Are you sharing via the workspace or the app?

- Are you allowing reshare?

- Are you sharing to individuals or distribution lists?

- How long has this been in use, was it previously owned by someone else?

- Are these workspaces in the same capacity?

- Do you have Surge protection enabled on that capacity?

Message 2 of 7
426 Views
0

Helpful resources

Announcements
November Power BI Update Carousel

Power BI Monthly Update - November 2025

Check out the November 2025 Power BI update to learn about new features.

Fabric Data Days Carousel

Fabric Data Days

Advance your Data & AI career with 50 days of live learning, contests, hands-on challenges, study groups & certifications and more!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All