Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Learn from the best! Meet the four finalists headed to the FINALS of the Power BI Dataviz World Championships! Register now

Reply
julsr
Responsive Resident
Responsive Resident

How to use credential for DirectQuery chaining without giving end-users access to upstream data?

‎02-05-2026 03:18 PM

Hi everyone,

I'm trying to implement a secure chained dataset architecture in Power BI (Premium Per User) and running into a limitation I can't seem to solve. Here's the scenario:

Architecture

  • Upstream dataset: Published in Workspace A (Premium Per User) Contains the full/raw data (many columns, sensitive structure)
  • Downstream dataset: Published in Workspace B (Premium Per User) Connects to the upstream dataset via DirectQuery Applies transformations: removes sensitive columns, renames fields, adds business measures, etc. Goal: End-users should only see the curated/cleaned version from the downstream model

Security goal I want regular business users to:

  • Have access to reports/dashboards built on the downstream model
  • Not have any permission (Viewer, Read, Build, etc.) on the upstream dataset or Workspace A

Current limitation When using DirectQuery chaining:

  • The end-user's credentials are used to query the upstream dataset
  • This means users need at least Build (or Read) permission on the upstream dataset for DirectQuery to work
  • If I give them Build/Read on upstream: they can connect directly to the upstream dataset (bypassing downstream) and see all original columns/tables (including the ones I intentionally hid/renamed in downstream)

Question Is there any way to:

  • Use a Service Principal (or any fixed identity) for DirectQuery queries from downstream to upstream?
  • Allow downstream to return data to end-users who have zero permissions on the upstream dataset?
  • Or any other secure pattern that lets me hide upstream columns while keeping DirectQuery / live data?

 

Thanks in advance for any ideas, links to documentation, or alternative architectures!

Message 1 of 4
305 Views
0
1 ACCEPTED SOLUTION
v-veshwara-msft
Community Support
Community Support

‎02-06-2026 05:25 AM

Hi @julsr ,
Thanks for reaching out to Microsoft Fabric Community.

 

The behavior you are seeing is expected.

With DirectQuery chaining in Power BI, queries from a downstream semantic model are always executed using the identity of the report viewer. Because of this, every user consuming the downstream model must have at least Read permission on the upstream dataset.

Reference:

Use composite models in Power BI Desktop - Power BI | Microsoft Learn

 

It is not possible to use a service principal, managed identity, or fixed credential for DirectQuery queries between semantic models, and a downstream model cannot return data to users who have no permissions on the upstream model. Chained semantic models are not designed to act as a security boundary or proxy.

Additionally, hiding or renaming columns in the downstream model does not secure them in this architecture, since users with permission on the upstream dataset can still access it directly.

Reference: Working with a composite model based on a semantic model 

 

To securely limit column visibility while keeping data live, security must be enforced below the semantic model layer, such as at the data source itself (for example using database level row or column level security), or by materializing a curated data layer and exposing only that curated data through a single semantic model. Chained semantic models are not designed to propagate security rules.
Reference: Working with a composite model based on a semantic model 

 

Hope this helps. Please reach out for further assistance.
Thank you.

View solution in original post

Message 2 of 4
242 Views
0
3 REPLIES 3
v-veshwara-msft
Community Support
Community Support

‎02-06-2026 05:25 AM

Hi @julsr ,
Thanks for reaching out to Microsoft Fabric Community.

 

The behavior you are seeing is expected.

With DirectQuery chaining in Power BI, queries from a downstream semantic model are always executed using the identity of the report viewer. Because of this, every user consuming the downstream model must have at least Read permission on the upstream dataset.

Reference:

Use composite models in Power BI Desktop - Power BI | Microsoft Learn

 

It is not possible to use a service principal, managed identity, or fixed credential for DirectQuery queries between semantic models, and a downstream model cannot return data to users who have no permissions on the upstream model. Chained semantic models are not designed to act as a security boundary or proxy.

Additionally, hiding or renaming columns in the downstream model does not secure them in this architecture, since users with permission on the upstream dataset can still access it directly.

Reference: Working with a composite model based on a semantic model 

 

To securely limit column visibility while keeping data live, security must be enforced below the semantic model layer, such as at the data source itself (for example using database level row or column level security), or by materializing a curated data layer and exposing only that curated data through a single semantic model. Chained semantic models are not designed to propagate security rules.
Reference: Working with a composite model based on a semantic model 

 

Hope this helps. Please reach out for further assistance.
Thank you.

Message 2 of 4
243 Views
0
v-veshwara-msft
Community Support
Community Support
In response to v-veshwara-msft

‎02-09-2026 09:00 PM

Hi @julsr ,

Just wanted to check if the response provided was helpful. If further assistance is needed, please reach out.


Thank you.

Message 3 of 4
174 Views
0
julsr
Responsive Resident
Responsive Resident
In response to v-veshwara-msft

‎02-10-2026 09:00 AM

Hi! Yes, it did, thank you! The solution was to convert my chained semantic model into an isolated one. Instead of having one model pulling from the database into Power BI, I now have two separate pulls. This way, we ensure better data protection and availability.

Message 4 of 4
153 Views

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

Share feedback directly with Fabric product managers, participate in targeted research studies and influence the Fabric roadmap.

February Power BI Update Carousel

Power BI Monthly Update - February 2026

Check out the February 2026 Power BI update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All