Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Ask the Fabric Databases & App Development teams anything! Live on Reddit on August 26th. Learn more.

Reply
arpost
Post Prodigy
Post Prodigy

Is it possible to limit data propagated to a workspace for a given shortcut?

‎11-08-2024 09:54 AM

Greetings, all. I have an enterprise-oriented scenario and am wondering if anyone has suggestions around how to handle this. We want to segregate client reporting/data by workspace out of a centralized data warehouse. Ideally, we'd keep the data duplication to a minimum while still being able to leverage capabilities such as DirectLake given the data volume.

 

Here's my question: is it possible to use shortcuts from a lakehouse in one workspace to another but "filter" the data being shortcuted over? In other words, is it possible to ensure that a target workspace only contains a particular client's data?

Message 1 of 7
812 Views
0
6 REPLIES 6
arpost
Post Prodigy
Post Prodigy

‎11-18-2024 07:10 AM

Thank you for the replies, @frithjof_v and @FabianSchut. To clarify, we are working toward the use of Power BI Embedded in an app-owns-data scenario, so the isolation of data into separate workspaces is a data security redundancy. Here's a diagram illustrating the concept:

 

arpost_0-1731942581967.png

 

If isolated data workspaces are used for our organization, the thinking would be this would ensure there is a reduced risk of the wrong RLS role being granted access to other clients' data within the same dataset if data is segregated into different models and clients receive explicit access grants to models containing their data. Granted, there are tradeoffs elsewhere, but the logic here is that if a DAX role were misconfigured (easy thing to do), there still would be no chance another client's data would be surfaced.

Message 7 of 7
476 Views
0
Anonymous
Not applicable

‎11-10-2024 09:58 PM

Hi @arpost ,

Did the above suggestions help with your scenario? if that is the case, you can consider Kudo or Accept the helpful suggestions to help others who faced similar requirements.

If these also don't help, please share more detailed information and description to help us clarify your scenario to test.

How to Get Your Question Answered Quickly 

Regards,

Xiaoxin Sheng

Message 6 of 7
649 Views
0
frithjof_v
Super User
Super User

‎11-09-2024 10:21 AM

I created an Idea for it, please vote ☺️

 

Filter and RLS on OneLake shortcuts

https://ideas.fabric.microsoft.com/ideas/idea/?ideaid=3377564d-c79e-ef11-95f6-002248555ab4

Message 4 of 7
749 Views
FabianSchut
Super User
Super User
In response to frithjof_v

‎11-09-2024 11:53 PM

Just did 👍

Message 5 of 7
716 Views
0
FabianSchut
Super User
Super User

‎11-08-2024 03:45 PM

Hi, unfortunately, it is not possible to add some filters on the shortcuts you create from one workspace to another. Do the client's need to see the data in the lakehouses too? Or only the reports? If only reporting is important for the client, you can add row level security rules. The data will still be in the client's workspace, but inaccessible if set correctly. Another option is to have the data in the "main" workspace already seperated by client and unionen together in a view within the "main" workspace. You can then select the client specific data for shortcuts.

Otherwise you really need to copy the data with filters applied which results in data duplication.

Message 2 of 7
778 Views
0
frithjof_v
Super User
Super User
In response to FabianSchut

‎11-10-2024 01:37 AM

"If only reporting is important for the client, you can add row level security rules. The data will still be in the client's workspace, but inaccessible if set correctly"

 

Note that if you use this approach, the client should not have any workspace roles in the client workspace, because the workspace roles will give too much access. Instead, the client should only get item Read permission on the Power BI report or Power BI App. Sharing a Power BI report or Power BI App also automatically grants the recipient Read permission on the entire underlying semantic model. So it's important to use RLS (and/or OLS) to limit the amount of data the users can access. 

 

Another option would be to keep the semantic model in the main workspace, apply RLS/OLS to the semantic model, and share the Power BI report or Power BI App with the client with only Read permission. Again, remember that sharing a Power BI report (or Power BI App) also means sharing access to the underlying semantic model, so remember to use RLS/OLS if the users are not supposed to have access to all the data in the semantic model.

Message 3 of 7
702 Views
0

Helpful resources

Announcements
Fabric July 2025 Monthly Update Carousel

Fabric Monthly Update - July 2025

Check out the July 2025 Fabric update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All