We would like the setting ‘Report viewers can only access this data source with their own Power BI identities’ to be enforced at the tenant level, rather than being left as an optional configuration for individual report creators.

In our scenario, Snowflake is used as the data source, with Role-based Access Control (RBAC) in place: access privileges are assigned to roles, which are then are assigned to users. This measure helps secure access to sensitive data. For data governance and compliance purposes, we must ensure that, at the Power BI tenant level, only authorized users can access this data. Power BI must inherit this Snowflake security measure, ensuring that access controls based on roles and privileges are consistently enforced across both platforms.

However, we observed that when creating a Power BI report that reads confidential data from Snowflake using DirectQuery with Role-Based Access Control (RBAC), users who do not have access to the corresponding confidentiality role in Snowflake can still see the data, if this setting is not enabled.

 In the Power BI Service, under Data Source Credentials, there is an option labeled:

“Report viewers can only access this data source with their own Power BI identities.” 

If this option is selected, the role applied at the Snowflake level is enforced, and unauthorized users cannot view the data. However, if the report creator does not select this option and shares the report with viewer access, even with DirectQuery, those users will be able to see the confidential data, which violates the confidentiality controls defined in Snowflake.

That said, we are requesting that this setting be enforced at the tenant level to ensure it is not left to users' discretion. This security measure should be applied automatically, in alignment with our company's security policies, rather than relying on individual users to enable it.