What is Object Level Security and what does it do
Simply put, OLS in Power BI allows model authors to protect specific columns or tables from report viewers. It basically helps maintain privacy. Let’s consider an example where a table or a column contains some private information. In this case, the table or the column can be restricted so that only certain viewers have a view of it and can interact with it. Additionally, restricting object names and metadata is also possible.
The object-level security is an additional layer of security. It is added to prevent inappropriate users from accessing business-critical or sensitive personal data. Also, the secure tables or columns are not visible to users who do not have appropriate access to them.
In short words, object-level security secures and hides sensitive and personal data from being discovered.
How to set up Object Level Security
There are certain steps that one needs to follow for setting up object-level security. You can’t specify OLS directly from Power BI Desktop, instead, you’ll need an external tool called Tabular Editor. The steps for configuring object-level security are discussed below.
Step 1: In the Power BI Desktop, create a model that contains all of your OLS rules. Further, follow the steps listed below to define the security roles.
1.1 Either configure a DirectQuery connection or prefer importing the data into your Power BI desktop report.
1.2 Now, select Manage Roles from the Modeling tab.
1.3 Now, select Create from the Manage Roles window.
1.4 Under roles, provide a name for the role created.
1.5 Select the table on which you wish to apply the DAX rule under the Tables section.
1.6 In the Table filter DAX expression box, enter the DAX expression.
1.7 To validate the DAX expression that you created, select the checkmark above the expression.
1.8 Now select Save, and you are all done.
Step 2: Select the Tabular Editor on the External Tools ribbon. In case the Tabular Editor button is not visible, prefer installing the “program.” The Tabular Editor will automatically connect to your model once the “program” is installed and opened.
Step 3: Click on the Model view now. You will then find a drop-down menu under “Roles.” Select that, and all the roles created in the previous step will appear over there.
Step 4: Select the role for which you want to enable the object-level security definition. Further, expand the Table permissions.
Step 5: Select either “None” or “Read” permission for the column or the table.
- None: By selecting “None,” the OLS will be enforced. Also, the column or the table will be hidden from that role.
- Read: By selecting “Read,” the column or the table will be visible to that role.
Step 6: You need to save your changes after defining the OLS roles.
Step 7: Publish your dataset to the Power BI Service from the Power BI Desktop.
Step 8: Navigate to the Security page in the Power BI Service. Assign members or groups to their appropriate roles.
Step 9: Do not forget to hit the Save button.
On completing these nine steps, the OLS rules will be defined. A notification that “field can’t be found” will appear to the users without appropriate permissions.
Difference between Row Level Security (RLS) & Object Level Security (OLS)
Basis | Row-level Security | Object-level Security |
Definition | Row-level security (RLS) is used to restrict data access at the row level for given users. | Object level security (OLS) is used to restrict data access for sensitive tables or columns from report viewers. |
License | Available in all licenses | Available in Pro & Premium (paid) Licenses |
Available Since | Since starting (2015) | Feb 2021 |
How it works | With RLS, the Metadata of the objects can be viewed. | With OLS, the Metadata of the objects cannot be viewed. It feels like totally deleted. |
Pre-requisites | RLS can be configured from Power BI Desktop itself. | OLS can only be configured with the help of the external tool, Tabular Editor (licensed software). |
Direction of Security | The direction of the rule applied is horizontal. | The direction of the rule applied is vertical. |
Limitation | In the Power BI service, members of a workspace have access to datasets in the workspace. RLS doesn’t restrict this data access. | It only applies to “Viewers” in the workplace and does not apply to members assigned as Admin, Member, or Contributors, as they have edit permissions for the dataset. |
Dynamic | RLS is static & Dynamic. | Microsoft has no Dynamic OLS, it’s only static. |
This was all about OLS. We hope you enjoyed reading this blog. Your thoughts are welcome in the comments section.