Solved: Sharing semantic models through intermediary

DouweMeer · ‎11-27-2025

I'm trying to work together with some guy who uses my data from my semantic model, build a report of it by live connection and then share it with others. I did gave him reshare abilities, but now every person he shares the report with automatically gain access to "build" and "reshare" access as well. I only would like him to be able to reshare with right of "read".

Is that possible?

v-veshwara-msft · ‎12-07-2025

Hi @DouweMeer ,

Thanks for the follow up.
Assigning an AD group with read access may not prevent a user with reshare and build from granting additional permissions. If they choose to share and allow build, that direct permission might still apply alongside the group’s read access, since permissions are handled in an additive way.

If you want to ensure only read access is propagated, the reshare permission would need to be restricted.

Please reach out for further assistance.

Thank you.

View solution in original post

v-veshwara-msft · ‎11-30-2025

Hi @DouweMeer ,

Thanks for raising this.

The explanations provided from @ibarrau and @lbendlin cover the scenario accurately. Reshare inherently allows the recipient to pass on the same permissions, so restricting them to share only with read access is not supported. You would need to manage permissions directly or ensure the intermediary does not grant additional rights when sharing.

If you need further clarification on permission behaviours, feel free to reach out.

Thank you.

lbendlin · ‎11-27-2025

Never ever grant "reshare" to anyone.

"If you don't want users to access your data the best approach is to not have the data in the first place."

By retaining the "share" permissions to yourself you have at least some semblance of DLP control.

DouweMeer · ‎12-03-2025

It's not so much the issue that these people have access to the data as that the data is of concern, more that we wouldn't want this individuals try to extract it themselves. 1, they are not paid to do it themselves, 2, they are not expected to be capable knowing how to.

More a case of governance, making sure that who has build rights and can publish his report, knows what he's doing.

ibarrau · ‎11-27-2025

Hi. Well, if you grant the guy a reshare permission, then they can do whatever they want. I would suggest talking with the guy to make sure the person doesn't check the "reshare" and "build" setting with the users, because that's what the guy is doing, allowing reshare to the shared users. Otherwise you will be managing permission and changing that back every time.

I hope that helps,

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Happy to help!

LaDataWeb Blog

DouweMeer · ‎12-03-2025

So it is the guy who has the reshare ability who's manually choosing to share it with these individuals and "approve" their build ability?

I do think I've "solved" my problem in the meantime by assigning an AD group read access to whoever this reshare guy might share it with. Or would his reshare overrule that due to the added rights?

v-veshwara-msft · ‎12-07-2025

Hi @DouweMeer ,

Thanks for the follow up.
Assigning an AD group with read access may not prevent a user with reshare and build from granting additional permissions. If they choose to share and allow build, that direct permission might still apply alongside the group’s read access, since permissions are handled in an additive way.

If you want to ensure only read access is propagated, the reshare permission would need to be restricted.

Please reach out for further assistance.

Thank you.