Solved: Sharing via a Power BI app without seeing the sema...

vivien57 · ‎09-29-2025

Hello everyone,

Here's my scenario for which I can't find a solution.

I'm sharing a dashboard via a Power BI App. Users are authorized in the audience and have no access to the Workspace.

However, if they go to "OneLake Catalog," they see the list of underlying semantic models. I want to avoid this because when a user goes to this view, they can, for example, see the refresh time, if the dataset refresh is in error (with error details), etc.

This is because sharing via an Audience gives direct access to the underlying semantic model. When the permission type is "App" at the semantic model level, it's impossible to remove it.

Is there a way to share via a PowerBI App to business users without them being able to see the semantic models in the OneLake Catalog?

Thank you in advance for your help.

Have a nice day,

Vivien

AmiraBedh · ‎09-29-2025

Hello !

Thank you for posting on Microsoft Fabric community.

When you publish a Power BI app, the audience gets build and read permissions on the semantic model behind your reports and those permissions are what make the dataset visible in OneLake Data Hub / OneLake Catalog.

Currently, there is no extra toggle today to allow them to see the report but not expose the dataset in the catalog.

If you give access through the app only they still get semantic model permissions and that shows up in OneLake. You cannot remove those dataset permissions without breaking the app reports since the app reports must query the dataset.

You can put the semantic models in a seperate workspace where only dataset owners have access and build the reports in another workspace then publish then via the app.

Or in Fabric admin portal and under your tenant settings fo to discover datasets and datamarts and disable allow users to discover except for specific security groups. This doesn’t stop the app from granting access, but it limits the ability to search or discover other models in Data Hub.

Proud to be a Power BI Super User !

Microsoft Community : https://docs.microsoft.com/en-us/users/AmiraBedhiafi
Linkedin : https://www.linkedin.com/in/amira-bedhiafi/
StackOverflow : https://stackoverflow.com/users/9517769/amira-bedhiafi
C-Sharp Corner : https://www.c-sharpcorner.com/members/amira-bedhiafi
Power BI Community :https://community.powerbi.com/t5/user/viewprofilepage/user-id/332696

View solution in original post

tayloramy · ‎09-29-2025

Hi @vivien57,

When you publish a Power BI App, viewers in that app audience are granted at least Read permission on the underlying semantic models so the reports can query them. Items you have Read permission to are intentionally shown in the OneLake Catalog (Data hub). In other words, what you’re seeing is expected by design.

Microsoft’s docs call this out explicitly: "Read permission is always granted during sharing, so the recipient can discover the shared item in the OneLake catalog and open it." (Share items in Microsoft Fabric). The OneLake Catalog is meant to list any Fabric item you have access to, including a "Refreshed" column and details in the item panel (OneLake catalog overview, Find and explore data in the OneLake catalog).

You can’t hide a semantic model from OneLake Catalog if users need to read it via a Power BI App. That visibility comes with the necessary Read permission.
You can limit what they can do with the model (for example, prevent building new content) by disabling Build permission in the App audience and removing any direct Build grants (Build permission for shared semantic models).
If your requirement is "use the report but never see the dataset in the Microsoft Fabric UI," the practical pattern is Embed for your customers (App-owns-data). End users don’t sign into Power BI, don’t get dataset permissions, and therefore don’t see anything in OneLake Catalog (Embed for your customers, Usage scenario).

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution.