Restrict access to Power BI model objects
As a data modeler, you can consider restricting user access to Power BI model objects. Object-level security (OLS) can restrict access to specific tables and columns, and their metadata. Typically, you apply OLS to secure objects that store sensitive data, like employee personal data.
Consider an example at Tailspin Traders. This organization has a data warehouse dimension table named DimEmployee. The table includes columns that store employee name, phone, email address, and salary. While general report consumers can see employee name and contact details, they must not be able to see salary values. Only senior Human Resources staff are permitted to see salary values. So, the data modeler used OLS to grant access to the salary column only to specific Human Resources staff.
Set up OLS
To set up OLS, you start by creating roles. You can create roles in Power BI Desktop in the same way you do when setting up RLS. Next, you need to add OLS rules to the roles. This capability isn’t supported by Power BI Desktop, so you’ll need to take a different approach, for example by using the TMDL view for Power BI Desktop (currently in preview). This feature lets you script, modify, and apply changes using Tabular Model Definition Language (TMDL), providing an alternative experience to semantic modeling using code, instead of a graphical user interface such as Model view.
To turn on this public preview feature, go to File > Options and settings > Options > Preview features and check the box next to TMDL View.
Once the preview feature is enabled, the TMDL view tab will appear on the left side of the Power BI Desktop window:
When first opening TMDL view, the code editor will be empty, you can script any semantic model object such as table, measure, column or role by selecting the objects from the Data pane (you can find the Role in the Model view) and dragging them into the code editor.
By default, all model tables and columns aren’t restricted. You can set them to None or Read. When set to None, users associated with the role can’t access the object. When set to Read, users associated with the role can access the object. When you’re restricting specific columns, ensure the table isn’t set to None.
createOrReplace
role 'All Employees (no HR)'
tablePermission Employee
columnPermission Salary = none
When you’re ready, you can select the Apply button to execute the TMDL script against the semantic model and have your TMDL code changes applied in a single step.
Once you’ve added the OLS rules, you can publish the model to the Power BI service. Use the same process for RLS to map accounts and security groups to the roles.
Considerations
In a Power BI report, when a user doesn’t have permission to access a table or column, they'll receive an error message. The message will inform them that the object doesn’t exist.
Consider carefully whether OLS is the right solution for your project. When a user opens a Power BI report that queries a restricted object (for them), the error message could be confusing and will result in a negative experience. To them, it looks like the report is broken. A better approach might be to create a separate set of models or reports for the different report consumer requirements.
Restrictions
There are restrictions to be aware of when implementing OLS.
Row-level security and object-level security cannot be combined from different roles because it could introduce unintended access to secured data. Also, you can’t set table-level security if it breaks a relationship chain. For example, if there are relationships between tables A and B, and B and C, you can't secure table B. If table B is secured, a query on table A can't transit the relationships between table A and B, and B and C. In this case, you could set up a separate relationship between tables A and C.
However, model relationships that reference a secured column will work, providing that the column’s table isn’t secured.
Lastly, while it isn’t possible to secure measures, a measure that references secured objects is automatically restricted.