Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends September 15. Request your voucher.

Reply
Anonymous
Not applicable

How to control row level security of semantic model for POWER BI desktop developers?

‎08-07-2024 12:02 AM

Dear experts:

I'm a Admin role in a workspace. I published a semantic model(called [ModelA] below) in powerbi service as below image1, [ModelA] has two tables:[Security] and [Company], I set a role named [Developer], and use Security[DeveloperEmail] = USERPRINCIPALNAME() to control the row level access. And I have 3 rows in [Security] table as below image2.

I know that if set user A1 as a viewer of this [ModelA] in powerbi service, user A1 can only view the records whose [CompanyID] = A in [Company] table. 

But what I want to realize is that: if user A1 is a powerbi desktop developer, when this user A1 get data via "Power BI Samentic models" from [ModelA], he should only get those records whose [CompanyID] = A in [Company] table. 

Below is what I tried, but failed:

1. grant "build" access of [ModelA] to user A1

2. ask user A1 to get data via "Power BI Samentic models" from [ModelA]

3. ask user A1 to create a table visualization in powerbi desktop to check the data in table [Company], he can see all records in table [Company].

 

Does someone knows that how to make user A1 only get those records whose [CompanyID] = A in [Company] table when he get data from [ModelA] in powerbi desktop?

 

Image1 :

PSPX_a_LIPINYI_0-1723012677476.png

Image2, just input some dummy data for column [DeveloperEmail]:

PSPX_a_LIPINYI_1-1723012917898.png

 

 

Labels:
Message 1 of 4
824 Views
0
2 ACCEPTED SOLUTIONS
ibarrau
Super User
Super User

‎08-07-2024 07:02 AM

Hi. I'm pretty sure you can't do that with pro licenses at a shared capacity. The docs says: "only Import and DirectQuery connections are supported." If you get data from a Semantic Model at service, that will be a live connection. The only way I have seen this working in the past was using Azure Analysis Services. Maybe using a dedicated capacity might be a possibility if some properties are modified with Tabular Editor, but really not sure.

More info: https://learn.microsoft.com/en-us/fabric/security/service-admin-row-level-security#considerations-an...

I hope that helps


If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Happy to help!

LaDataWeb Blog

View solution in original post

Message 2 of 4
786 Views
ibarrau
Super User
Super User
In response to Anonymous

‎08-08-2024 05:34 AM

I have only seen this working with Azure Analysis Services. I'm not sure about PowerBi only. Maybe moving the data to a warehouse with all the modeling resolved. Then just let users see specific tables of the warehouse. That's a different self service approach, but it might let you keep developers only seing what they should.

Regarding dedicated capacity maybe there is something there if you create perspectives with tabular editor, but I'm not sure, that would be my last shot.

I hope that make sense. I would build it on the data warehouse


If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Happy to help!

LaDataWeb Blog

View solution in original post

Message 4 of 4
761 Views
3 REPLIES 3
ibarrau
Super User
Super User

‎08-07-2024 07:02 AM

Hi. I'm pretty sure you can't do that with pro licenses at a shared capacity. The docs says: "only Import and DirectQuery connections are supported." If you get data from a Semantic Model at service, that will be a live connection. The only way I have seen this working in the past was using Azure Analysis Services. Maybe using a dedicated capacity might be a possibility if some properties are modified with Tabular Editor, but really not sure.

More info: https://learn.microsoft.com/en-us/fabric/security/service-admin-row-level-security#considerations-an...

I hope that helps


If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Happy to help!

LaDataWeb Blog

Message 2 of 4
787 Views
Anonymous
Not applicable
In response to ibarrau

‎08-07-2024 07:34 PM

Thanks for your reply.  Do you know any workaround for this case? The key point is restricting data scope of different power bi desktop developers. Is it possible to use power query and set binding parameters to realize it? 

Message 3 of 4
772 Views
0
ibarrau
Super User
Super User
In response to Anonymous

‎08-08-2024 05:34 AM

I have only seen this working with Azure Analysis Services. I'm not sure about PowerBi only. Maybe moving the data to a warehouse with all the modeling resolved. Then just let users see specific tables of the warehouse. That's a different self service approach, but it might let you keep developers only seing what they should.

Regarding dedicated capacity maybe there is something there if you create perspectives with tabular editor, but I'm not sure, that would be my last shot.

I hope that make sense. I would build it on the data warehouse


If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Happy to help!

LaDataWeb Blog

Message 4 of 4
762 Views

Helpful resources

Announcements
August Power BI Update Carousel

Power BI Monthly Update - August 2025

Check out the August 2025 Power BI update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All