Solved: Power BI Service RLS/OLS to semantic model

Heinrich

Hello
I would like to give the user specific data on the semantic model.
There are RLS/OLS which can be used.

How can I give only access to specific data within the semantic model?

Regards
Heinrich

nilendraFabric

To provide access to specific data within a Power BI semantic model, you can use Row-Level Security (RLS) and Object-Level Security (OLS).

How to Implement RLS
1. Define Roles in Power BI Desktop:
• Open your dataset in Power BI Desktop.
• Navigate to the Modeling tab and select Manage Roles.
• Create roles and define DAX filters for row-level restrictions. For example:

[Region] = LOOKUPVALUE(SecurityTable[Region], SecurityTable[UserEmail], USERPRINCIPALNAME())

Test Roles:
• Use the View As Roles feature in Power BI Desktop to simulate how data will appear for users assigned to specific roles.
3. Publish and Assign Users:
• Publish the dataset to the Power BI Service.
• In the Power BI Service, go to the dataset’s Security settings and assign users or groups to the roles you created.

Points to consider:

RLS applies only to users with Viewer permissions in a workspace; it does not apply to Admins, Members, or Contributors.
• For live connections (e.g., Azure Analysis Services), RLS must be configured directly in the source model, not in Power BI

How to Implement OLS
1. Use External Tools (e.g., Tabular Editor):
• Open your Power BI model in an external tool like Tabular Editor.
• Define OLS rules by setting table or column permissions (`None` or `Read`) for specific roles.
• None: The table/column will be hidden from the role.
• Read: The table/column will be visible.
2. Publish the Model:
• Save your changes and publish the model back to Power BI Service.
• Assign users or groups to roles with OLS definitions via the dataset’s Security settings in Power BI Service.
3. Test OLS:
• Ensure that unauthorized users cannot view restricted tables/columns by testing their experience in reports.

Key Considerations for OLS
• OLS is not natively supported in Power BI Desktop; it requires external tools like Tabular Editor or XMLA endpoints.
• Users without access will not see restricted objects—they will appear as if they don’t exist

Combining RLS and OLS
You can combine RLS and OLS for layered security:
• Use RLS to filter rows of data dynamically based on user attributes.
• Apply OLS to hide sensitive tables or columns entirely from unauthorized users.

Hope this helps

thanks

View solution in original post

Idrissshatila

Hello @Heinrich ,

here's a video to help acheive row level security
https://youtu.be/r5XCpeQxXl4?si=MAHjR8gZIooCtJKY

Did I answer your question? Mark my post as a solution! Appreciate your Kudos

Follow me on LinkedIn

Vote for my Community Mobile App Idea

Proud to be a Super User!

Heinrich

Hello @Idrissshatila
Thank you very much for your support.
Have a great day
Heinrich

nilendraFabric

Hello @Heinrich

To provide access to specific data within a Power BI semantic model, you can use Row-Level Security (RLS) and Object-Level Security (OLS).

How to Implement RLS
1. Define Roles in Power BI Desktop:
• Open your dataset in Power BI Desktop.
• Navigate to the Modeling tab and select Manage Roles.
• Create roles and define DAX filters for row-level restrictions. For example:

[Region] = LOOKUPVALUE(SecurityTable[Region], SecurityTable[UserEmail], USERPRINCIPALNAME())

Test Roles:
• Use the View As Roles feature in Power BI Desktop to simulate how data will appear for users assigned to specific roles.
3. Publish and Assign Users:
• Publish the dataset to the Power BI Service.
• In the Power BI Service, go to the dataset’s Security settings and assign users or groups to the roles you created.

Points to consider:

RLS applies only to users with Viewer permissions in a workspace; it does not apply to Admins, Members, or Contributors.
• For live connections (e.g., Azure Analysis Services), RLS must be configured directly in the source model, not in Power BI

How to Implement OLS
1. Use External Tools (e.g., Tabular Editor):
• Open your Power BI model in an external tool like Tabular Editor.
• Define OLS rules by setting table or column permissions (`None` or `Read`) for specific roles.
• None: The table/column will be hidden from the role.
• Read: The table/column will be visible.
2. Publish the Model:
• Save your changes and publish the model back to Power BI Service.
• Assign users or groups to roles with OLS definitions via the dataset’s Security settings in Power BI Service.
3. Test OLS:
• Ensure that unauthorized users cannot view restricted tables/columns by testing their experience in reports.

Key Considerations for OLS
• OLS is not natively supported in Power BI Desktop; it requires external tools like Tabular Editor or XMLA endpoints.
• Users without access will not see restricted objects—they will appear as if they don’t exist

Combining RLS and OLS
You can combine RLS and OLS for layered security:
• Use RLS to filter rows of data dynamically based on user attributes.
• Apply OLS to hide sensitive tables or columns entirely from unauthorized users.

Hope this helps

thanks

Heinrich

Hello @nilendraFabric
Thanks for your detailed answer.
I will have a look.
Have a great day
Heinrich

Power BI Service RLS/OLS to semantic model

Helpful resources

Join us at the Microsoft Fabric Community Conference

Power BI Monthly Update - January 2025

Fabric Community Update - January 2025

New Offer! Become a Certified Fabric Data Engineer

Power BI Service RLS/OLS to semantic model

Helpful resources

Join us at the Microsoft Fabric Community Conference

Power BI Monthly Update - January 2025

Fabric Community Update - January 2025