top of page
Search

Securing measures by role in Power BI

  • Arnav Badrish
  • 5 days ago
  • 2 min read

In Power BI, Row-level Security (RLS) is a mechanism designed to limit access to specific data within a Power BI model, depending on the user's role or authority level. As the name implies, it operates solely on the rows of a table, meaning it can only be used to filter table rows in Power BI.


Following our blog on Understanding the Causes and Remedies of Power BI Measure Explosion, this approach can be applied to further streamline measures in Power BI and enhance the user experience. It can also be utilized to protect sensitive measures within a single Power BI model, eliminating the need for multiple models to enforce security.


Nonetheless, we can employ the Tabular Editor to establish security at the object level (OLS) for this model using these roles. By doing so, we can reference this object in our measures, ensuring that if the table is not 'visible' to the users, the measure will also be hidden from them.


Here’s how you can achieve this:

  1. Create an empty calculated table, let's name it ‘SecurityTable’, and ensure it is hidden from all users. The script for this table looks like this: 

SecurityTable = FILTER({BLANK()}, FALSE)

  1. Then, open the Tabular Editor for this file, select the SecurityTable under Tables (ensure ‘Show/Hide hidden objects’ is enabled at the top), and disable object-level access to this table for the role from which you want to hide measures.


    Tabular Editor view for Object Level security

     

  2. For each measure you wish to hide, simply reference this table in some way. This can be as straightforward as including this table in a VAR statement. For example,

Reseller Value = 
VAR Check = ‘SecurityTable’ 
RETURN [Sales Amount] * 0.5.

This will not impact the query plan for the measure, and the measure will now effectively be invisible to any user with the Example Role.


And there you have it, the measure is now hidden for any user with the Example Role! This means that the measures we apply this change to will not be visible to the users in any way; not in the Data pane in the PBIX file, nor in any visuals where this measure is referenced. Essentially, this measure is non-existent for the affected users.


Reach out to us if you have any questions or need support with your implementation.



 
 
 

Comments

bottom of page