In an ideal world, we would have a different data model for every user profile. In the real world, we need a "Golden Dataset" that serves everyone, from the CEO (who sees everything) to the sales intern (who only sees their own region).

Many developers stop at Row-Level Security (RLS). But what happens when we need to hide a whole column of sensitive data, like "Salary" or "Profit Margin"? This is where many reports fail, showing frustrating visual errors.

In this article, we will explore how to combine RLS (Row Level Security), OLS (Object Level Security) and Dynamic Masking. We will also share an essential trick using Field Parameters to avoid broken visuals.

The Basics: RLS (Row-Level Security)

What it does: Filters rows of data. It is the "horizontal slice".

Scenario: A manager from Lisbon should only see sales from Lisbon.

RLS is the first line of defence. In its dynamic form, we use the USERPRINCIPALNAME() function to filter the fact or dimension table based on the user's login.

The Typical DAX Code:

-- Applied to the security table or Employees dimension 
[Email] = USERPRINCIPALNAME()

Where RLS isn't enough:

Although the user cannot see data from other regions, they can still see that a column named "UnitCost" or "BaseSalary" exists in the model's metadata. If the goal is to hide the existence of the column, RLS does not work.

Heavy Protection: OLS (Object-Level Security)

What it does: Removes entire tables or columns from the model for specific users. It is "vertical security".

Scenario: The Sales team sees Revenue, but only the Finance team can see the Profit Margin. Unlike RLS, OLS physically removes the object from the schema for that user. To set this up, we need to use external tools like Tabular Editor, because Power BI Desktop does not do this natively for columns yet.

The Big Problem with OLS (and the Solution):

If you create a visual with the [Margin] column and apply OLS to hide it from a user, Power BI will try to query a column that "does not exist". Result: The visual breaks completely and shows a error.

The Pro Solution:

To avoid creating two separate reports, use Field Parameters. When you place measures inside a Field Parameter, Power BI dynamically checks if the user has OLS permission for the underlying columns.

 If the user has access: The "Margin" measure appears in the chart.

 If the user does not have access: The "Margin" measure is silently removed from the Parameter.

The chart automatically readjusts to show only "Sales", without any errors.

The Middle Ground: Dynamic Masking with DAX

What it does: Shows that the data exists, but hides the real value.

Scenario: A Call Centre needs to confirm the last 4 digits of a credit card or Tax ID, but cannot see the full number. Because Power BI in Import mode does not support native SQL Server masking in the same way as DirectQuery, we have to simulate this with DAX.

This pattern checks the user and replaces the text, except for the last few characters.

Masked TaxID = 
VAR Real_TaxID = SELECTEDVALUE(Customers[TaxID]) 
VAR CurrentUser = USERPRINCIPALNAME() 
VAR HasPermission = -- Logic to check if the user is in the permissions table CALCULATE(COUNTROWS(Permissions), Permissions[Email] = CurrentUser) > 0 
RETURN 
IF( HasPermission, Real_TaxID, "***-***-" & RIGHT(Real_TaxID, 3) -- Shows only the last 3 characters )

Note: For numeric columns, it is recommended to return BLANK() instead of text so you do not break the chart scales.

Summary Comparison

Conclusion

Modern security in Power BI requires a layered approach ("Defence in Depth"). Use RLS for market segmentation, OLS (with Field Parameters) to protect trade secrets, and Masking for privacy compliance (GDPR) without losing operational context.

Do you have questions about how to implement? Leave your question in the comments below!