Get certified for free when you join Fabric Data Days 2026 and dive into Fabric, Power BI, SQL, AI, and other essential data skills.
Join nowJuly 7 - July 17 | Round 2 of the Power BI Dataviz World Championships. Don't miss your chance! Learn more
Hi,
We embed reports in our web application for our clients using the Javascript API (App Owns Data). I have a question about the best way of securing the data of a PowerBI report/model.
My simple scenario:
I could assume that because in my report I don't display the sales data in a table (I only have a card with my measure) that the user can't see the underlying data of the sales table. But someone with knowledge of the Javascript API could modify the code in the browser and could see that data (for example by activating edit mode, by using it in a custom app with the PowerBI Report Authoring library, etc...).
Am I right in assuming that the only way to prevent this is to aggregate the table in the model and using RLS on the sales tables?
I don't want to scare our clients, but should we say "the model should only have the tables that you want your end users to see. If you don't want users to see some data, don't put it in the model without RLS"?
Thanks!
Join us in Barcelona for FabCon and SQLCon, the Fabric, Power BI, SQL, and AI community event. Save €200 with code FABCMTY200.
Join Fabric Data Days 2026: 60 days of free live/on-demand sessions, challenges, study groups, and certification opportunities.
| User | Count |
|---|---|
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
| User | Count |
|---|---|
| 5 | |
| 3 | |
| 2 | |
| 2 | |
| 2 |