article 23854

Power BI, Build Permissions And Security

If there is sensitive data in your Power BI semantic model that you don’t want some users to see then you need to use row-level security or object-level security to control access to that data. You’re an experienced Power BI developer – you know that, right? But what about Build permissions? If an end-user only has access to a report you’ve built and doesn’t have Build permissions on the underlying semantic model, and if there’s no other security on the semantic model, can they access data in the semantic model that isn’t visible in the report? The answer is potentially yes: you can’t rely on Build permissions for security.

Ever since Power BI was released there have been people who have published a semantic model and report, not used RLS or OLS, and then been surprised and upset when end users have been able to see all the data in the semantic model. A few years ago I wrote a blog post on one way this was possible, the “Show Data Point As Table” feature, and recent changes such as users with View permissions being able to use the Explore feature and the rise of Copilot have caused similar situations. But the fundamental truth is that RLS and OLS have always been necessary to make sure data is secure. Indeed if you check out the documentation for semantic model permissions you’ll see a note explaining that Build permissions are not a security feature:

Build permission is primarily a discoverability feature. It enables users to easily discover semantic models and build Power BI reports and other consumable items based on the discovered models, such as Excel PivotTables and non-Microsoft data visualization tools, using the XMLA endpoint. Users who have Read permission without Build permission can consume and interact with existing reports that have been shared with them. Granting Read permission without Build permission should not be relied upon to secure sensitive data. Users with Read permission, even without Build permission, are able to access and interact with data in the semantic model.

Build permissions do allow you to control whether users can create their own reports in Power BI Desktop or Excel and that’s useful when you want to stop the proliferation of reports, but it’s not security. I understand this is news to a lot of people – especially to many self-service developers who don’t read the docs closely – but that’s why I’ve written this post. If you have published semantic models containing sensitive data and were assuming that users would only be able to see the data displayed in reports then you need to go and implement RLS and OLS in your semantic model right now.

Incidentally, this is also why you are never going to see true page-level security implemented in Power BI reports even though a lot of people ask for it. The semantic model, not the report, is where security is applied in Power BI. All those blog posts and videos out there showing “workarounds” for page-level security are misleading because they are not truly secure. There’s a saying that “you can’t be half pregnant” and the same is true for security: you’re either secure or you aren’t and security-through-obscurity isn’t security. Whether or not a user can see a report page is irrelevant, what is important is whether the user can access the data in the semantic model.