Latest Posts

Understanding Object-Level Security (OLS)

Posted on by Zubair Shaik

Loading

Understanding Object-Level Security (OLS) in Power BI

Object-Level Security (OLS) in Power BI is a powerful feature that enables restriction of access to specific tables or columns in a dataset. Unlike Row-Level Security (RLS), which controls access to rows of data, OLS hides entire tables or columns from unauthorized users. This is particularly useful for protecting sensitive financial data, HR records, or confidential business metrics.

🔹 Why Use Object-Level Security (OLS)?

OLS helps in: ✔ Restricting access to entire tables or columns based on user roles.
Enhancing data security by hiding confidential fields like salary, cost, or sensitive customer details.
Ensuring compliance with privacy regulations (GDPR, HIPAA, etc.).
Improving user experience by simplifying reports and dashboards for different roles.

📌 Step 1: Understanding the Components of OLS

Object-Level Security in Power BI works at the data model level and is managed in Tabular Editor 2 or 3.
🔹 OLS can be applied to:

  • Tables: Hide entire tables for specific users.
  • Columns: Hide individual columns while allowing access to the rest of the table.

🔹 OLS works by creating security roles in Power BI without using DAX filters, unlike Row-Level Security (RLS).

🔹 OLS must be implemented in Power BI datasets published to Power BI Service (not in Power BI Desktop alone).

📌 Step 2: Setting Up OLS Using Tabular Editor

Power BI Desktop does not have a built-in OLS interface. Instead, we use Tabular Editor (an external tool) to apply OLS.

🔸 Installing Tabular Editor

1️⃣ Download Tabular Editor 2 (free) or Tabular Editor 3 (paid) from TabularEditor.com.
2️⃣ Install and open Power BI Desktop.
3️⃣ Click External Tools > Tabular Editor 2/3.

📌 Step 3: Creating Object-Level Security (OLS)

Follow these steps to apply OLS in Tabular Editor:

🔸 Creating a Security Role

1️⃣ Open Power BI Desktop and load your dataset.
2️⃣ Click External Tools > Tabular Editor.
3️⃣ In Tabular Editor, find the Roles folder (if it doesn’t exist, create it).
4️⃣ Right-click Roles > Click New Role.
5️⃣ Name the role (e.g., “Finance Team” or “HR Restricted”).

📌 Step 4: Applying Object-Level Security to Tables and Columns

🔸 Hiding an Entire Table

1️⃣ In Tabular Editor, find the Table you want to restrict.
2️⃣ Click on the table and go to Object-Level Security settings.
3️⃣ For the selected role, change Access from Read to None.
4️⃣ Save the changes (Ctrl + S).

Example: If you restrict access to the “FinanceData” table, users in this role won’t even see that the table exists in Power BI Service.

🔸 Hiding a Specific Column

1️⃣ Expand the table where the column is located.
2️⃣ Click on the column you want to hide.
3️⃣ In the Object-Level Security (OLS) settings, set Access to None for that role.
4️⃣ Save your changes.

Example: If the “Salary” column in the Employees table is hidden, users won’t see the column in reports or tables.

📌 Step 5: Saving and Applying OLS

1️⃣ Click File > Save in Tabular Editor.
2️⃣ Close Tabular Editor and return to Power BI Desktop.
3️⃣ Click Modeling > Manage Roles to verify the roles.

📌 Step 6: Publishing to Power BI Service

Once OLS is configured: 1️⃣ Click Publish in Power BI Desktop.
2️⃣ Select your Power BI workspace and upload the dataset.
3️⃣ Open Power BI Service (app.powerbi.com).
4️⃣ Go to Datasets > Security.
5️⃣ Assign users to the roles you created in Tabular Editor.
6️⃣ Test the report by viewing as a restricted user.

📌 Step 7: Testing OLS in Power BI Service

1️⃣ Go to Power BI Service and open the dataset.
2️⃣ Click Manage Permissions.
3️⃣ Click Test as Role and enter a user’s email.
4️⃣ Check if the restricted tables/columns are hidden.

Expected Result:

  • Users without access won’t see the hidden tables/columns.
  • Reports using restricted columns will show errors if they depend on missing data.

📌 Step 8: Combining OLS with Row-Level Security (RLS)

OLS hides entire tables/columns, while RLS restricts row-level data.
✔ You can use both OLS and RLS together for enhanced security.
✔ Example:

  • Finance Team sees all salary data (Full Access).
  • Managers see only salaries in their department (RLS Applied).
  • Employees cannot see the salary column at all (OLS Applied).

🔹 Best Practice: Always test security roles to avoid accidental data exposure.

📌 Best Practices for Implementing OLS

Plan Security Roles Early – Avoid complex role structures.
Use Tabular Editor for Efficient Management – Power BI Desktop does not support direct OLS setup.
Apply Least Privilege Access – Users should only access what they need.
Combine with RLS for Maximum Security – OLS + RLS ensures both column and row-level protection.
Test Different User Scenarios – Ensure no unwanted data is visible.

🔹 Final Thoughts

By implementing Object-Level Security (OLS), organizations can control access to sensitive data efficiently. Whether you’re working with finance, HR, or confidential business data, OLS ensures that only the right users see the right information.

Would you like help setting up OLS for your specific Power BI dataset?

Leave a Reply

Your email address will not be published. Required fields are marked *