To implement Object-Level Security (OLS) in Power BI, define security roles directly in Power BI, and then use Tabular Editor to manage access to the tables and columns by applying the appropriate filters and permissions.
Example (Scenario):
Let's assume the Power BI data model is structured as shown below.
The relationships are as per below:
Net Revenue = SUM(fact_Sales_Orders[Revenue])
Quantity Sold = SUM(fact_Sales_Orders[Quantity_Sold])
Stock Value = SUM(fact_Inventory[Stock_Valuation])
1. Hide or restrict the [Stock Value] measure to use by users in the Report.
2. Mask the [Net Revenue] measure value as "OLS_Restricted"
We can achieve this scenario by implementing the Object Leve Security (OLS) to measures as explained in below process.
We cannot directly implement the OLS on the Measures. However, we can achieve this using a dummy table object and some flags as explained below.
Step1: Create a Temporary OLS Table:
We will create a temporary table to implement OLS for measures. This table can be hidden.
We will create a temporary table to implement OLS for measures. This table can be hidden.
OLS_Security_Enabler = FILTER({0,1}, TRUE())
We will define a Security Role as "OLS_Model_Objects" on the OLS_Security_Enabler table as shown below:
OLS_Security_Enabler[Value] == 1
Step3: Define the required Flag Measures:
We need to create a flag measure as OLS_Flag with below logic will always return value as 1.
This flag will be used in the measures for which we want to apply OLS to Hide or restrict them for users in the Report:
We need to create a flag measure as Is_OLS_Applied with below logic will return value as 1, when the OLS Security is applied in the Report. Otherwise, it returns values as 0.
This flag will be used in the measures for which we want to apply OLS to mask (not hide) their values with custom value as "OLS_Restricted"
Step4: Apply the OLS Flag Logics to Measures:
As per the requirement, to restrict or hide [Stock Value] measure, we use the OLS_Flag in the measure definition as per below.
Next select the column [Value] from table OLS_Security_Enabler then go to Object Level Security property under Section of [Translations, Perspectives, Security].
Next set the OLS_Model_Objects security value as "None".
Note:
In this case, we set the Object level security, either to the table OLS_Security_Enabler or to the column [Value].
Since this table is having only 1 Column, entire table will be hidden when column is hidden.
Result: After OLS
The [Stock Value] measure is restricted and hidden, hence the dependent visuals are broken.
The [Net Revenue] measure value is only masked with the value as "OLS_Restricted", hence the dependent visuals are not affected.
For a detailed understanding on how Object Level Security works for Tables and Columns, please refer the below article from this Blog:
This flag will be used in the measures for which we want to apply OLS to Hide or restrict them for users in the Report:
OLS_Flag = (COUNTROWS(VALUES(OLS_Security_Enabler[Value]))<=2)*1
This flag will be used in the measures for which we want to apply OLS to mask (not hide) their values with custom value as "OLS_Restricted"
Is_OLS_Applied = (COUNTROWS(OLS_Security_Enabler) = 1)*1
As per the requirement, to restrict or hide [Stock Value] measure, we use the OLS_Flag in the measure definition as per below.
Stock Value =
VAR _Stock_Val = SUM(fact_Inventory[Stock_Valuation])
VAR _OLS_Enabled = [OLS_Flag]
VAR _No_Blank = (NOT ISBLANK(_Stock_Val))*1
RETURN
IF( _OLS_Enabled=1, _Stock_Val)
To Mask (not hide) the [Net Revenue] measure value, we use the Is_OLS_Applied flag in the measure definition as per below.
Net Revenue =
VAR _Revenue = SUM(fact_Sales_Orders[Revenue])
VAR _OLS_Enabled = [Is_OLS_Applied]
VAR _No_Blank = (NOT ISBLANK(_Revenue))*1
RETURN
IF( AND(_OLS_Enabled=1,_No_Blank=1), "OLS_Restricted", _Revenue)
Step5: Implement OLS for the table Column: OLS_Security_Enabler[Value]:
First Open the Power BI Data Model with Tabular Editor tool to manage the OLS permissions.Next select the column [Value] from table OLS_Security_Enabler then go to Object Level Security property under Section of [Translations, Perspectives, Security].
Next set the OLS_Model_Objects security value as "None".
Note:
In this case, we set the Object level security, either to the table OLS_Security_Enabler or to the column [Value].
Since this table is having only 1 Column, entire table will be hidden when column is hidden.
Final Step: Test the Role:
Now we can test the role and see the results before and after OLS as per below.Result: Before OLS
Result: After OLS
The [Net Revenue] measure value is only masked with the value as "OLS_Restricted", hence the dependent visuals are not affected.
https://excelkingdom.blogspot.com/2025/03/how-to-implement-object-level-security.html
--------------------------------------------------------------------------------------------------------
Thanks, TAMATAM ; Business Intelligence & Analytics Professional
--------------------------------------------------------------------------------------------------------
No comments:
Post a Comment
Hi User, Thank You for visiting My Blog. If you wish, please share your genuine Feedback or comments only related to this Blog Posts. It is my humble request that, please do not post any Spam comments or Advertising kind of comments, which will be Ignored.