Hello everyone,
I have a conceptual question regarding the security and permission model in Power BI Service and would like to validate whether my current architecture follows best practices.
My general goal is to apply a least-privilege security model where every user has only the minimum required permissions, but is still able to view the reports intended for them, see all data they are authorized to see, and export data to Excel, without creating any security gaps.
Current setup
I have the following workspace structure.
Workspace 1: “Semantic Models”
Contains the central dataset.
Access: only me (Admin / Owner)
Workspace 2: “Sales C-Level”
Contains report “Sales C-Level” with 10 pages.
Access granted via Grant Access to 5 users (C-Level)
Workspace 3: “Sales”
Contains report “Sales” with 8 visible pages.
2 pages are hidden.
Access granted via Grant Access to approximately 30 users (Viewer role).
Both reports use the same shared semantic model (dataset) from the first workspace.
Row Level Security (RLS)
In the dataset I defined one RLS role.
Role name: Europe
Filter: D_Country[Region] = "Europe"
Assigned users: 3 users
All other users should have no data restriction and should see all regions.
Additional requirements
All users must be able to export data to Excel (Export data from visuals and Analyze in Excel).
It must not be possible to bypass permissions unintentionally.
The goal is a highly restrictive permission model where each user only has minimal rights, but can fully view their report, is correctly restricted by RLS, and can export the data they are authorized to see.
Observed problem
In practice, I repeatedly experience that some users see no data or unexpected data, filters behave incorrectly, and reports behave differently depending on workspace and user.
Overall, the behavior does not feel reliably reproducible.
My questions
Architecture and best practice
Is this architecture generally considered best practice?
Separate dataset workspace
Multiple report workspaces
Shared dataset across workspaces
Permission model
How should permissions be set correctly in this scenario?
Is it sufficient to grant users access only on the report or workspace level?
Or do users additionally need explicit permissions on the dataset (Manage permissions or Grant access on the dataset)?
RLS design
Is it sufficient to define only one RLS role called Europe?
Or should I also create a second role like All without any filter?
Do users without any RLS role automatically see all data or must they be explicitly assigned?
Link sharing and forwarding
Is it possible that User A forwards a report link to User B and thereby bypasses permissions?
Or does Power BI always strictly validate permissions on report and dataset level when opening a link?
Export to Excel
Which permissions are required so that all users can export data to Excel?
Are there any special considerations in combination with shared datasets, Viewer permissions and RLS?
Known pitfalls
Are there any known best practices or common pitfalls with shared datasets, multiple workspaces, and the combination of Viewer role, RLS, export and link sharing?
Thank you very much for your help and guidance on best practices.
