| title | description | author | ms.author | ms.reviewer | ms.topic | ms.date |
|---|---|---|---|---|---|---|
Object-level security (OLS) with Power BI |
How to configure object-level security for imported semantic models, within the Power BI service. |
mberdugo |
monaberdugo |
how-to |
04/24/2024 |
Object-level security (OLS) enables model authors to secure specific tables or columns from report viewers. For example, a column that includes personal data can be restricted so that only certain viewers can see and interact with it. In addition, you can also restrict object names and metadata. This added layer of security prevents users without the appropriate access levels from discovering business critical or sensitive personal information like employee or financial records. For viewers that don’t have the required permission, it's as if the secured tables or columns don't exist.
Like row-level security (RLS), OLS is also defined within model roles. Currently, you can't create OLS definitions natively in Power BI Desktop. To create roles on Power BI Desktop semantic models, use external tools such as Tabular Editor.
-
In Power BI Desktop, create the model and roles that define your OLS rules.
-
On the External Tools ribbon, select Tabular Editor. If you don’t see the Tabular Editor button, install the program. When open, Tabular Editor automatically connects to your model.
:::image type="content" source="./media/service-admin-object-level-security/external-tools.png" alt-text="Screenshot of External tools Menu.":::
-
In the Model view, select the drop-down menu under Roles. The roles you created in step 1 appear.
:::image type="content" source="./media/service-admin-object-level-security/display-roles.png" alt-text="Screenshot of roles names being displayed under roles folder in model view.":::
-
Select the role you want to enable an OLS definition for, and expand the Table Permissions.
:::image type="content" source="./media/service-admin-object-level-security/open-permissions.png" alt-text="Screenshot showing where to access the table permissions for OLS.":::
-
Set the permissions for the table or column to None or Read.
None: OLS is enforced and the table or column is hidden from that role
Read: The table or column is visible to that roleSet categories under Table permissions to None.
:::image type="content" source="./media/service-admin-object-level-security/define-rule-table.png" alt-text="Screenshot of setting OLS rule to none for the entire table.":::
Select the category and set the Object Level Security to None.
:::image type="content" source="./media/service-admin-object-level-security/define-rule-column.png" alt-text="Screenshot of setting OLS rule to none for the address column." lightbox="./media/service-admin-object-level-security/define-rule-column.png":::
-
After you define object-level security for the roles, save your changes.
:::image type="content" source="./media/service-admin-object-level-security/save-roles.png" alt-text="Screenshot of saving role definitions.":::
-
In Power BI Desktop, publish your semantic model to the Power BI Service.
-
In the Power BI Service, navigate to the Security page by selecting the more options menu on the semantic model, and assign members or groups to their appropriate roles.
The OLS rules are now defined. Users without the required permission receive a message that the field can't be found for all report visuals using that field.
:::image type="content" source="./media/service-admin-object-level-security/error-message.png" alt-text="Screenshot of error message saying that column cannot be found or may not be used in this expression.":::
-
OLS only applies to Viewers in a workspace. Workspace members assigned Admin, Member, or Contributor have edit permission for the semantic model and, therefore, OLS doesn’t apply to them. Read more about roles in workspaces.
-
Semantic models with OLS configured for one or more table or column objects aren't supported with these Power BI features:
- Quick insights visualizations
- Smart narrative visualizations
- Excel Data Types gallery