Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Compete to become Power BI Data Viz World Champion! First round ends August 18th. Get started.

Reply
frithjof_v
Super User
Super User

End users' permissions on semantic model

‎08-22-2024 07:28 AM

Hi,

 

I have some theoretical questions related to the below information (see quotes below):

 

  • Does a report reader have permission to read all the data in a semantic model unless it's restricted by RLS or OLS?
  • Does a report reader have permission to read the DAX code in measures or calculated tables and columns?
  • Does a report reader have permission to see which RLS roles exist in the model?
  • Does a report reader have permission to read the DAX code used in RLS role definitions?
  • Does a report reader have permission to read the Power Query M code?
  • Does a report reader have permission to read the data at different stages of the Power Query M code? 

 

"When you share a report or dashboard, the people you share it with can view it and interact with it, but can't edit it. The recipients see the same data that you see in the reports and dashboards. They also get access to the entire underlying semantic model, unless row-level security (RLS) is applied to it."

 

https://learn.microsoft.com/en-us/power-bi/collaborate-share/service-share-dashboards

 

 

"For example, when you share a report, you also share access to the semantic model below. You need to define security on the semantic model using Row Level Security (RLS) or Object Level Security (OLS) to prevent a report consumer from accessing all the data in the semantic model. By default, the read access of a report consumer isn't restricted to the elements and data they see in the report, but access restrictions can be enforced in the semantic model thanks to RLS and OLS. Use RLS to restrict access to rows of data being returned, and OLS to restrict the access to columns and tables. When you hide a table, column, measure, visual, or report page, on the other hand, that doesn't prevent a report user from accessing these hidden elements. Hiding therefore isn’t a security measure, but an option to provide a clutter-free user experience focused on specific tasks or goals."

 

 

https://learn.microsoft.com/en-us/power-bi/collaborate-share/service-how-to-collaborate-distribute-d...

 

 

Thanks in advance!

Labels:
Message 1 of 5
1,115 Views
0
4 REPLIES 4
frithjof_v
Super User
Super User

‎08-23-2024 12:06 AM

"For example, when you share a report, you also share access to the semantic model below. You need to define security on the semantic model using Row Level Security (RLS) or Object Level Security (OLS) to prevent a report consumer from accessing all the data in the semantic model. By default, the read access of a report consumer isn't restricted to the elements and data they see in the report (...)"

 

Quote from the docs.

 

So I understand that when we share a report to a consumer, i.e. Read permission, we share access to the underlying semantic model.

 

As an example, think of Copilot, which enables users to easily access data which is not visible in the report. https://learn.microsoft.com/en-us/power-bi/create-reports/copilot-ask-data-question

 

There are also other, existing ways for the users to access data which is not visible in the report.

 

So I am wondering which parts of a Power BI semantic model is theoretically available to a user with Read access? Only the data, or metadata like table and column names, measure names, relationships, roles? What about DAX code? What about M code?

Ref. the bullet points in my original post. 

Message 3 of 5
1,031 Views
0
Tutu_in_YYC
Super User
Super User
In response to frithjof_v

‎08-23-2024 07:50 AM

My earlier reply contains responds to your bullet points. 

Re what Copilot reads, i can only assume it is based on what it is being asked to do and based on data that is available to the user ie data that is protected by OLS/RLS should not be included. But there are already reports about Copilot going around RLS

https://community.fabric.microsoft.com/t5/Service/Using-Copilot-to-circumvent-Row-Level-Security/td-...

Solution to the above issue has been delivered
https://community.fabric.microsoft.com/t5/Issues/Copilot-answering-data-questions-outside-of-Row-Lev...

Message 4 of 5
999 Views
frithjof_v
Super User
Super User
In response to Tutu_in_YYC

‎08-28-2024 12:00 AM

Thank you @Tutu_in_YYC ,

 

I appreciate your responses and the information you shared!

 

It's also interesting to read that a user reported that Copilot preview didn't respect RLS settings. If what the user says is real, then I am both surprised and concerned about that. However I can't know if that user had set up the RLS properly.

 

I appreciate your responses, still as you say: 

 

"These responds are based on testing and experience, but may not be 100% accurate as PBI changes all the time, exceptions exist, new tools appears, and new mode like direct lake provides a different set of management tools. Also, i could be wrong too..

 

If you see anything that may be outdated, incorrect or something that needs confirmation/context, let me know and we can try to update information."

 

I want to know what is the theoretical boundaries of the Read role. This way, I can be confident that no new features or changes in Power BI software will expose unintended data/metadata to the end users.

 

Because I want to know if for example Copilot (or API queries, etc.) can give the end users access to DAX code or M code or RLS roles names in my semantic model. Does the end user theoretically have permission to read the comments in my DAX code / M code?

 

I want to know the specific implications of "when you share a report, you also share access to the semantic model below" (quote from the docs). Which parts of the semantic model does it refer to? All of it? Or only the data content + table/column/measure names + relationships, for example?

Message 5 of 5
945 Views
0
Tutu_in_YYC
Super User
Super User

‎08-22-2024 09:19 AM

I am assuming that "Report Reader" is basically a user that has been given Read permission to a report, which could be done by clicking "Share".  And the option "Allow recipient to build content..." is not selected. And the user doesnt have access to the workspace.

Tutu_in_YYC_0-1724341957631.png

Based on the above:

  • Does a report reader have permission to read all the data in a semantic model unless it's restricted by RLS or OLS?
    • Yes, but only through the visuals in the report.
    • Report reader can see the tables and columns if they click on View semantic model but cannot see/explore the data within the tables
    • Data exploration is usually done through either analyze in excel or connecting to semantic model through pbi desktop - this requires build permission
    • Exception: If you have Personalize visual enabled, then report reader can visualize data from any columns/tables within the report/semantic model (except for hidden tables/columns)

  • Does a report reader have permission to read the DAX code in measures or calculated tables and columns?
    • No, this may require edit rights which acquired through access to the workspace with role Contributor and above

  • Does a report reader have permission to see which RLS roles exist in the model?
    • No, this may require edit rights 
    • Members with edit rights will see these under Security or in PBIX 

 

  • Does a report reader have permission to read the DAX code used in RLS role definitions?
    • No, this may require edit rights
    • This has to be viewed in PBIX or external tools like Tabular Editor

  • Does a report reader have permission to read the Power Query M code?
    • No, this may require edit rights 
    • This has to be viewed in PBIX or external tools like Tabular Editor

 

  • Does a report reader have permission to read the data at different stages of the Power Query M code? 
    • No, this may require edit rights 
    • This has to be viewed in PBIX and requires access to underlying data source

 

These responds are based on testing and experience, but may not be 100% accurate as PBI changes all the time, exceptions exist, new tools appears, and new mode like direct lake provides a different set of management tools. Also, i could be wrong too..

If you see anything that may be outdated, incorrect or something that needs confirmation/context, let me know and we can try to update information.



Message 2 of 5
1,070 Views

Helpful resources

Announcements
August Power BI Update Carousel

Power BI Monthly Update - August 2025

Check out the August 2025 Power BI update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All