Problem

Today, when using thin reports (live connection to a shared semantic model) in Power BI Apps, end users must be granted Build permission on the dataset for report queries to execute.

Build permission also enables model exploration capabilities such as:

- Analyze in Excel

- Creation of personal reports

- Visibility of the semantic model structure

This creates a governance issue for regulated domains such as HR and Finance, even when Row-Level Security (RLS) is correctly enforced.

Why this matters

Power BI Apps are designed to distribute content to broad, non-technical audiences using:

- One governed semantic model

- Many thin reports

- Multiple app audiences

However, the current permission model forces organizations to choose between:

- Security (no Build permission, therefore no thin reports), or

- Scalability (thin reports with Build permission exposure)

As a result, teams are pushed into suboptimal workarounds:

- Duplicating semantic models per report

- Limiting access to very small trusted audiences

- Avoiding App-based distribution entirely

This breaks the intended “one model, many audiences” architecture.

Proposed enhancement

Introduce a viewer-level execution permission for datasets used by thin reports in Power BI Apps. This would allow:

- Execution of predefined report queries

- Full enforcement of Row-Level Security

- App-based distribution to broad audiences

Without enabling Build or model exploration capabilities.

Business value

This would enable secure, large-scale Power BI App distribution, reduce semantic model duplication and maintenance overhead, and better support regulated enterprise use cases such as HR and Finance.