Re: Sharing Data Models (With/Without RLS) from Sh...

GauravSinghPBI · ‎07-28-2025

Hi All,

We are trying to implement Power BI reporting solution in Premium capacity. We have below requirement

We will have our dedicated shared workspace which will be accessed by technology team (Contributors) and technology people will be creating Semantic Model (With/Without RLS) and Reports/Dashboards to consume by business teams in their dedicated workspaces.

Technology team can provide the permissions on selected Semantic Models not all to business teams
There will be business users who will be viewer on their dedicated workspace and should view the reports/dashboards shared by tech team from shared workspace
There will be power business users who will be having Contributor access on their dedicated workspace and should be able to create the reports/dashboards using shared workspace Semantic Model
In both the above scenarios, functionality should work for RLS/Non-RLS enabled Semantic Models

How we can implement this security model in Power BI platform.

Thanks,

Gauav

v-prasare · ‎08-21-2025

Hi @GauravSinghPBI,

We are following up once again regarding your query. Could you please confirm if the issue has been resolved through the support ticket with Microsoft?
If the issue has been resolved, we kindly request you to share the resolution or key insights here to help others in the community. If we don’t hear back, we’ll go ahead and close this thread.
Should you need further assistance in the future, we encourage you to reach out via the Microsoft Fabric Community Forum and create a new thread. We’ll be happy to help.

Thank you for your understanding and participation.

v-prasare · ‎08-18-2025

In this scenario i suggest you to raise a support ticket here. so, that they can assit you in addressing the issue you are facing. please follow below link on how to raise a support ticket:

How to create a Fabric and Power BI Support ticket - Power BI | Microsoft Learn

v-prasare · ‎08-04-2025

Hi @GauravSinghPBI,

We would like to follow up to see if the solution provided by the super user resolved your issue. Please let us know if you need any further assistance here.

@rohit1991 & @FBergamaschi , thanks for your prompt response.

Thanks,

Prashanth Are

MS Fabric community support

rohit1991 · ‎07-28-2025

Hi @GauravSinghPBI ,

Here’s how you can achieve both RLS and non-RLS data model sharing from a central/shared workspace to multiple dedicated workspaces, without duplicating models:

1. Centralize your Semantic Models Keep your certified/official semantic models (datasets) in a central “shared” workspace. Assign only Contributors from the tech team to this workspace. They’ll manage and update the semantic models, set up RLS roles, and maintain data governance.

2. Grant Build Permission In the central workspace, give “Build” permission on the dataset to users/groups who need to connect from other workspaces. This allows users in their own workspaces (or business unit workspaces) to connect to the shared dataset using “Get data > Power BI datasets” and build their own reports and dashboards.

3. RLS Enforcement If you have RLS set up in the shared dataset, it will be enforced no matter where users consume the data (their workspace, shared workspace, apps, etc.). Users will only see data they’re authorized to view.

4. Non-RLS Use For non-RLS models, simply control access through workspace permissions and Build access.

5. Separation of Duties Only tech/admin users manage the dataset. Business users have Contributor or Member roles in their own workspaces, but only Viewer/Build on the central dataset.

6. Sharing Reports and Dashboards Business users can publish reports/dashboards in their own workspace, built on top of the shared semantic model. There’s no need to copy or duplicate the dataset.

You can monitor which reports and dashboards across your environment are using the central dataset by checking its “Related content” in the shared workspace, or by using the Power BI Activity log for more detailed usage auditing.

Did it work? ✔ Give a Kudo • Mark as Solution – help others too!

GauravSinghPBI · ‎07-28-2025

Hi @rohit1991 - Thanks for detailed explanation on our use case. Few more doubts.

1. Any other setting which we need to do to achive this use case?

2. Do we need to provide access on shared workspace also to business viewers/contributors or the permission on Models will suffice.

3. Do we need to provide any permission to business users on models who have viewer access on their own worspace to view the report/dashboard shared by either business users (contributors) in dedicated workspace or tech team from shared workspace?

4. We are planning to create 15-20 dedicated workspace for business users with RLS or without RLS permissions or shared Models from shared workspace, what is the best way to achieve this so that access mechanism is not complex and remain simple.

5. We will be connecting to AWS Athena to fetch the data in Power BI, can we have the RLS Group for RLS security in Models in line to the data security in AWS? Do that we don't have to create new one.

Thanks,

Gaurav

rohit1991 · ‎07-28-2025

Hi @GauravSinghPBI ,

1.No special hidden settings are required beyond what’s been described. The essentials are:

Mark your dataset as certified (optional, but good practice for discoverability).
Assign Build permission to the business users or their security groups directly on the dataset in the shared workspace.
Make sure the business users have at least Contributor role in their own workspace if they need to create/save reports.

2. Business users do NOT need Contributor access in the shared workspace—just Build permission on the dataset. Contributor in their own workspace is enough for creating content. If they’re only viewing, Viewer is fine.

3.Always grant Build permission at the dataset level (not the workspace) and assign it via security groups if possible. This way, each business unit only sees what’s meant for them, and you keep things manageable at scale.

4.Security groups are your best friend here. Map each group to the appropriate dataset’s Build permission, and manage those groups via Azure AD. For 15-20+ workspaces, this approach is much easier to maintain than user-by-user assignments. If you want to automate, PowerShell or the Power BI REST API works great for scripting permission assignments.

5.Power BI’s native RLS works on imported or DQ datasets hosted in Power BI, but not on Athena DirectQuery sources. If you need RLS with Athena, set up security at the Athena (or AWS Glue) level, or consider importing the data into Power BI where you can apply RLS directly.

Did it work? ✔ Give a Kudo • Mark as Solution – help others too!

GauravSinghPBI · ‎07-29-2025

Manu Thanks @rohit1991

Basically what we are saying that if 100 business users have contributor access on dedicated workspace will also requires respective security groups, and these security groups are Azure AD Groups and we can decide which security groups business user is member of and UER process can be in place for them. If we decide 10 security groups for a business workspace, the users will see differrtn data as per security group. There may be 100-200 security groups for 10-15 workspaces. hope my understanding is correct.

But when we talk abount Athena datasource, what security we need to put in at the Athena, that i am not getting. We will be connecting to Athena via service acocunt then how Athena security can be placed for our scenarion?

Thanks,

Gaurav

rohit1991 · ‎07-29-2025

Hi @GauravSinghPBI ,

Yes,. For Athena, security should be managed at the AWS level, typically via IAM roles, policies, and permissions on the Athena tables/datasets. If you’re using a service account, make sure it has access only to the required datasets, and use Athena/AWS Glue-level permissions to restrict what each group can query. Power BI RLS won’t apply directly so secure access at the data source before it reaches Power BI.

Did it work? ✔ Give a Kudo • Mark as Solution – help others too!

GauravSinghPBI · ‎07-31-2025

Thanks @rohit1991

We would like to understand how we can replicate the Data security in AWS to Power BI. Definitely we do not want the additional roles in Power BI if we can replicate what is there in AWS.

All Power BI Data Flows will be connecting to AWS using same Service account and then how we can segreagate the permission using sungle service account. Do we need to pass additional info with service accout which can bifurcate the data access.

Could we know the steps involved to achieve this?

Thanks,

Gaurav

GauravSinghPBI · ‎07-29-2025

Thanks @rohit1991

We would like to understand how we can replicate the Data security in AWS to Power BI. Definitely we do not want the additional roles in Power BI if we can replicate what is there in AWS.

All Power BI Data Flows will be connecting to AWS using same Service account and then how we can segreagate the permission using sungle service account. Do we need to pass additional info with service accout which can bifurcate the data access.

Could we know the steps involved to achieve this?

Thanks,

Gaurav

GauravSinghPBI · ‎08-03-2025

Hi @rohit1991 - Could you please have a look on my question.

Thanks,

Gaurav

FBergamaschi · ‎07-28-2025

So what is the question? It seems you have already outlined the way to do this, are you experiencing issues?

Sharing Data Models (With/Without RLS) from Shared Workspaces to dedicated Workspaces

Helpful resources

Power BI Monthly Update - September 2025

How to Get Your Question Answered Quickly

FabCon is coming to Atlanta

Sharing Data Models (With/Without RLS) from Shared Workspaces to dedicated Workspaces

Helpful resources

Power BI Monthly Update - September 2025

How to Get Your Question Answered Quickly