Data Security in Power BI – Users’ Roles and Permissions

In Power BI, we can store data encompassing an entire enterprise. It is possible to establish connections with many data sources with different structures, which, following transformations, can be imported into a uniform warehouse. Data contained in Power BI may have different levels of confidentiality, which is why it is not always advisable to give all platform users full access to the content it contains. Power BI allows you to control access to data displayed on reports according to their purpose by defining the roles of users.

Security levels

Permissions are defined at three levels:

  1. Workspace – this is where the entire Power BI dataset and associated reports are stored. Permissions at this level apply to the entirety of content in the space. Users can be assigned various statuses: administrator, member or contributor. There is also a fourth group for people just viewing content, without access to settings.
  2. Dataset – data access restrictions according to row-level security. There can be many data sets in the workspace with different security definitions for the data contained in each of them. At this level – unlike the workspace – there are no predefined roles. The designer decides about their number and scope, which allows for an individual approach to their creation.
  3. Report – you can specify who will be able to view a selected report within a given space. Reports alone do not store data. Visualizations are associated with data sets that determine what portion of information can be loaded into them. The user can also receive permission to export the report (this option is currently available in the preview version). This type of report contains visualizations and its own set of data. Files downloaded in this way can be freely extended.

Row-level security – an example of role usage

Sample customer profiles from around the country will be used to demonstrate how security mechanisms work. Currently, the report displays the data of all customers. Let’s assume that this level of detail is reserved for management, who should have access to the full range of information, while for region guardians, statistics related only to their own area of activity may be more useful. We may also want to protect information about customers from other provinces.

To limit the display of data for a user who is responsible only for a selected region, we can configure the roles of the data set using the Power BI Desktop application. This will prevent rows from being displayed that do not meet the condition described in the filter expression for the given role. Rules can be set for several objects at the same time, so you can limit access to data by attributes that are in different tables. You can also hide entire tables.

You can assign different expressions to filter selected tables for each of the roles created. For example, a person who is the guardian of the “south” region will be able to view reports for clients whose data in the columns meet the conditions and come from the provinces (column [province]): Dolnoslaskie, Slaskie or Opolskie.

To assign users to groups, publish the set to the Power BI workspace and go to the row management security section. In this section you can also quickly test the correct operation of security in the selected role. The reports will then be displayed in the version the participant sees, without having to change the rights of their own account. Settings can also be tested locally before deployment to the Power BI service in the Desktop application.

We should keep in mind that users assigned to row-level security roles do not have permission to manage the configuration or edit content within the entire workspace – then the restrictions for the selected data set will be overridden and they will be able to change the security settings themselves, downloading the file in full.


The discussed case presents one of the many methods of implementing the security available in Power BI. Conditions limiting the displayed data can be defined based on static conditions or using a dynamic object – for example, the name of the logged-in user.

Roles and permissions are not only security and control over access to data, but also a way to make work easier. Analyses can automatically present the business context for the person they refer to. Reports configured in this way can be further edited and extended directly in the cloud, or locally using the Power BI Desktop application, without the need to configure the data set for the end-user each time.

Our Experts
/ Knowledge Shared


Why Should You Develop Mobile Applications with AWS?

Mobile Solutions

Today’s mobile apps have a lot of requirements, increasingly in the areas of performance, scalability and, of course, cost-efficiency. In these areas, we need a sophisticated infrastructure to support the app.   After all, the frontend of the app is already based on the user’s hardware, but the backend is where we have the most control....


The 7 Deadly Signs of Digital Debt


Previously, we spoke about the rising awareness of Digital Debt thanks to recent events. This time, we want to help point out the most common signs of Digital Debt in your own company or operations.  After all, there’s a good chance the issues that produce such debt have gradually become part of day-to-day business. So much so, in fact,...


Digital Debt / The Business Killer That’s Spreading


Some businesses were happy with being offline… until they were not. Recent events have pushed the issue of digital debt into the cold light of day.  The hard truth is simple: companies and other entities have suddenly found themselves in a reality where offline operations are no longer the backbone to rely on. This shift was significantly...

Expert Knowledge
For Your Business

As you can see, we've gained a lot of knowledge over the years - and we love to share! Let's talk about how we can help you.

Contact us