Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us for an expert-led overview of the tools and concepts you'll need to become a Certified Power BI Data Analyst and pass exam PL-300. Register now.

Reply
rebeccaETE
Helper I
Helper I

Object level security explained

‎10-25-2021 06:24 AM

Hi all, 

 

I'm looking into using Object Level Security (OLS) for a table in my data model but I can't wrap my head around the security roles. In all the videos I've seen on how to set-up OLS, they create a security group for "cannot view sensitive data", and then change the OLS to "None" for those users.

 

In my eyes, it would make more sense to create a "can view sensitive data" and set it to "Read" - and as a default every user not in that group cannot see the table. However, the default is currently equivalent to "read", so I don't see how you could do this.

 

The reason I'm worried is the management of it all. What I need is to publish the dataset to a workspace and subsequently publish to an app, which several distribution groups have access to. I can easily add the current distributions groups that should not be able to view the data into a "cannot view sensitive data" security group. But what happens if I suddenly create a new distribution group and grant them access to the app but forget to put them in the security group? Can they then see the data as a default? That seems risky to me. 

 

Can anyone help explain this set-up to me? 

 

Cheers 

Rebecca 

Labels:
Message 1 of 5
4,129 Views
0
1 ACCEPTED SOLUTION
rebeccaETE
Helper I
Helper I
In response to v-henryk-mstf

‎10-28-2021 12:21 AM

@v-henryk-mstf Hi Henry, 
Thanks for the link, I've already read it (and many others 😅

What I was unsure of - and couldn't seem to decipher from the blog posts - was whether someone not in any of the security roles could see the objects as a default. But I tested this yesterday, and found that if it's not specified whether an employee should see or not see the objects by OLS, then they can't access the report at all (it throws an error saying something like RLS is blocking access). If I put the employee in the "cannot see" OLS role, he could see only the visuals from un-secured objects in the report. And lastly, he could see everything when allocated the "can see" OLS role. 

 

So, some good-old fashion testing answered my question. I will close this post. 

 

Thanks 

View solution in original post

Message 5 of 5
4,004 Views
0
4 REPLIES 4
v-henryk-mstf
Community Support
Community Support

‎10-27-2021 11:41 PM

Hi @rebeccaETE ,

 

See if the following blog links are helpful to you.

Announcing public preview of Object-Level Security in Power BI | Microsoft Power BI Blog | Microsoft...


If the problem is still not resolved, please point it out. Looking forward to your reply.


Best Regards,
Henry


If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 4 of 5
4,023 Views
0
rebeccaETE
Helper I
Helper I
In response to v-henryk-mstf

‎10-28-2021 12:21 AM

@v-henryk-mstf Hi Henry, 
Thanks for the link, I've already read it (and many others 😅

What I was unsure of - and couldn't seem to decipher from the blog posts - was whether someone not in any of the security roles could see the objects as a default. But I tested this yesterday, and found that if it's not specified whether an employee should see or not see the objects by OLS, then they can't access the report at all (it throws an error saying something like RLS is blocking access). If I put the employee in the "cannot see" OLS role, he could see only the visuals from un-secured objects in the report. And lastly, he could see everything when allocated the "can see" OLS role. 

 

So, some good-old fashion testing answered my question. I will close this post. 

 

Thanks 

Message 5 of 5
4,005 Views
0
amitchandak
Super User
Super User

‎10-25-2021 06:37 AM

@rebeccaETE ,

 

Have you checked if sensitivity label or masking can help?

https://docs.microsoft.com/en-us/power-bi/admin/service-security-apply-data-sensitivity-labels

 

https://radacad.com/secure-the-sensitive-data-in-power-bi-data-masking-better-with-row-level-securit...

Share with Power BI Enthusiasts: Full Power BI Video (20 Hours) YouTube
Microsoft Fabric Series 60+ Videos YouTube
Microsoft Fabric Hindi End to End YouTube
Message 2 of 5
4,081 Views
0
rebeccaETE
Helper I
Helper I
In response to amitchandak

‎10-25-2021 07:52 AM

@amitchandak Yes, the thing is that I do want to restrict access to the content, and as I can gather with: 

 

Masking: "Sometimes, you want to show all the information to all the users, but you want to hide the sensitive data"- I don't want to show all the information to all the users. I want them to see nothing at all, if they don't have the right access level. 

 

and 

 

Sensitivity labels: "In the Power BI service, sensitivity labeling does not affect access to content. " - I do want to affect access. 

Message 3 of 5
4,057 Views
0

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All