Solved: Power BI Service RLS/OLS to semantic model

Heinrich · ‎01-23-2025

Hello
I would like to give the user specific data on the semantic model.
There are RLS/OLS which can be used.

How can I give only access to specific data within the semantic model?

Regards
Heinrich

nilendraFabric · ‎01-23-2025

To provide access to specific data within a Power BI semantic model, you can use Row-Level Security (RLS) and Object-Level Security (OLS).

How to Implement RLS
1. Define Roles in Power BI Desktop:
• Open your dataset in Power BI Desktop.
• Navigate to the Modeling tab and select Manage Roles.
• Create roles and define DAX filters for row-level restrictions. For example:

[Region] = LOOKUPVALUE(SecurityTable[Region], SecurityTable[UserEmail], USERPRINCIPALNAME())

Test Roles:
• Use the View As Roles feature in Power BI Desktop to simulate how data will appear for users assigned to specific roles.
3. Publish and Assign Users:
• Publish the dataset to the Power BI Service.
• In the Power BI Service, go to the dataset’s Security settings and assign users or groups to the roles you created.

Points to consider:

RLS applies only to users with Viewer permissions in a workspace; it does not apply to Admins, Members, or Contributors.
• For live connections (e.g., Azure Analysis Services), RLS must be configured directly in the source model, not in Power BI

How to Implement OLS
1. Use External Tools (e.g., Tabular Editor):
• Open your Power BI model in an external tool like Tabular Editor.
• Define OLS rules by setting table or column permissions (`None` or `Read`) for specific roles.
• None: The table/column will be hidden from the role.
• Read: The table/column will be visible.
2. Publish the Model:
• Save your changes and publish the model back to Power BI Service.
• Assign users or groups to roles with OLS definitions via the dataset’s Security settings in Power BI Service.
3. Test OLS:
• Ensure that unauthorized users cannot view restricted tables/columns by testing their experience in reports.

Key Considerations for OLS
• OLS is not natively supported in Power BI Desktop; it requires external tools like Tabular Editor or XMLA endpoints.
• Users without access will not see restricted objects—they will appear as if they don’t exist

Combining RLS and OLS
You can combine RLS and OLS for layered security:
• Use RLS to filter rows of data dynamically based on user attributes.
• Apply OLS to hide sensitive tables or columns entirely from unauthorized users.

Hope this helps

thanks

View solution in original post

Idrissshatila · ‎01-23-2025

Hello @Heinrich ,

here's a video to help acheive row level security
https://youtu.be/r5XCpeQxXl4?si=MAHjR8gZIooCtJKY

Did I answer your question? Mark my post as a solution! Appreciate your Kudos

Follow me on LinkedIn

Vote for my Community Mobile App Idea

Proud to be a Super User!

Heinrich · ‎01-23-2025

Hello @Idrissshatila
Thank you very much for your support.
Have a great day
Heinrich

nilendraFabric · ‎01-23-2025

Hello @Heinrich

To provide access to specific data within a Power BI semantic model, you can use Row-Level Security (RLS) and Object-Level Security (OLS).

How to Implement RLS
1. Define Roles in Power BI Desktop:
• Open your dataset in Power BI Desktop.
• Navigate to the Modeling tab and select Manage Roles.
• Create roles and define DAX filters for row-level restrictions. For example:

[Region] = LOOKUPVALUE(SecurityTable[Region], SecurityTable[UserEmail], USERPRINCIPALNAME())

Test Roles:
• Use the View As Roles feature in Power BI Desktop to simulate how data will appear for users assigned to specific roles.
3. Publish and Assign Users:
• Publish the dataset to the Power BI Service.
• In the Power BI Service, go to the dataset’s Security settings and assign users or groups to the roles you created.

Points to consider:

RLS applies only to users with Viewer permissions in a workspace; it does not apply to Admins, Members, or Contributors.
• For live connections (e.g., Azure Analysis Services), RLS must be configured directly in the source model, not in Power BI

How to Implement OLS
1. Use External Tools (e.g., Tabular Editor):
• Open your Power BI model in an external tool like Tabular Editor.
• Define OLS rules by setting table or column permissions (`None` or `Read`) for specific roles.
• None: The table/column will be hidden from the role.
• Read: The table/column will be visible.
2. Publish the Model:
• Save your changes and publish the model back to Power BI Service.
• Assign users or groups to roles with OLS definitions via the dataset’s Security settings in Power BI Service.
3. Test OLS:
• Ensure that unauthorized users cannot view restricted tables/columns by testing their experience in reports.

Key Considerations for OLS
• OLS is not natively supported in Power BI Desktop; it requires external tools like Tabular Editor or XMLA endpoints.
• Users without access will not see restricted objects—they will appear as if they don’t exist

Combining RLS and OLS
You can combine RLS and OLS for layered security:
• Use RLS to filter rows of data dynamically based on user attributes.
• Apply OLS to hide sensitive tables or columns entirely from unauthorized users.

Hope this helps

thanks