Power BI Model Security Demystified: Ensuring Confidentiality

 Access restriction for analytics reports is critical for maintaining the security, accuracy, and utility of data.. Access restriction for analytics reports is crucial for safeguarding data security, ensuring compliance, enhancing data governance, and supporting informed decision-making. Without it, organizations risk exposing sensitive data, violating regulations, and making poor decisions due to data inaccuracies or misuse.

In Power BI, reports are stored in workspaces. When you create a workspace, only you can access it at first. You can control who else can access your workspace by clicking the  Manage access  button in the workspace view.  

There are four types of roles in a workspace:  

• Viewer : Can only look at and read the reports.  
• Contributor : Can add reports to the workspace, as well as copy, edit, delete, and update dashboards.  
• Member : Can add Contributors and Viewers and manage permissions for datasets in the workspace.  
• Admin : Can add or remove people and change or delete the workspace.  

There are two main ways to do this:

1.  Row-Level Security (RLS) : Limits data access to specific rows based on rules, ensuring users only see data relevant to them. For example, salespeople can only view data for their region. This makes it possible to use a single report for different audiences.

2.  Object-Level Security (OLS) : Blocks access to entire tables or columns, hiding them from certain users.

Data modelers can set up roles for individuals or groups to control the data shown in a report. RLS works only for users with  Viewer  permissions in Power BI; it does not apply to Admins, Members, or Contributors in a workspace. 

Key points:

• By default, a data model has no roles. 
• A data model without roles means that users (who have permission to query the data model) have access to all model data.
• It's possible to define a role that includes no rules. In this case, the role provides access to all rows of all model tables. This role set up would be suitable for an admin user who is allowed to view all data.
• We can create, validate, and manage roles in Power BI Desktop.
• It’s common to set up Power BI to enforce rules that filter dimension tables, allowing model relationships to efficiently propagate those filters to fact tables.
• Rule expressions are evaluated within row context. Row context means the expression is evaluated for each row using the column values of that row.
• RLS only restricts data access for users with Viewer permissions. It doesn't apply to Admins, Members, or Contributors.
• We can configure RLS for data models imported into Power BI with Power BI.
• Service principals can't be added to an RLS role. Accordingly, RLS isn't applied for apps using a service principal as the final effective identity.
• Only Import and DirectQuery connections are supported. Live connections to Analysis Services are handled in the on-premises model.

Object-level security (OLS):

It refers to the ability to restrict access to specific objects—like tables, columns, or measures—within a dataset based on the user's roles and permissions. It allows different users to see different subsets of data objects (like columns or tables) in the same dataset. This helps ensure that sensitive or irrelevant data objects are hidden based on the user's profile or responsibilities.