twbxtopbi
Back to Resources
Technical

How to Implement Object-Level Security in Power BI

Restrict access to tables and columns by role for row-level security.

Object-level security (OLS) in Power BI restricts access to specific tables or columns in the data model based on user roles. Unlike row-level security (RLS), which filters rows, OLS operates on model metadata: you hide entire tables or columns from users who lack permission. RLS answers which rows a user sees; OLS answers which objects (tables/columns) they can see at all.

Diagram: RLS vs OLS—rows vs objects
RLS filters rows; OLS hides tables or columns by role.

When to use OLS

Use OLS when a table or column contains sensitive data (e.g. salary, PII) that must not be visible to certain roles, even if they can open the report. Combine OLS with RLS when you need both: only certain rows and only certain objects visible.

Prerequisites

OLS is configured in the model metadata, not in the Power BI Desktop UI. You need an external tool such as Tabular Editor (2.x or 3) or ALM Toolkit to set table/column permissions per role. Install Tabular Editor and open your model from Power BI Desktop via External Tools.

Power BI External Tools – Tabular Editor
Open Tabular Editor from the External Tools tab in Power BI Desktop.

Implementation steps

  1. 1
    Create roles in Power BI

    In the Modeling tab, click Manage roles. Create the roles you need (e.g. Admin, Public). Save.

  2. 2
    Open Tabular Editor

    Go to External Tools and open Tabular Editor. Your open .pbix model is connected.

  3. 3
    Set OLS on columns

    Expand the model, then Tables, then the table (e.g. Customer). Select a column. In the properties pane, find Object Level Security (under Translations, Perspectives, Security). For each role, set the permission (e.g. None for Public, Read for Admin).

  4. 4
    Save and test

    Save in Tabular Editor; changes apply to the Desktop model. In Power BI Desktop use View as to test as Public—the secured columns should disappear from the Data pane and any visual using them may show an error for that role.

Testing in Desktop and Service

Use View as in Power BI Desktop to impersonate a role and confirm columns are hidden. After publishing, go to the dataset in the service, open Security, and use Test as role to verify. Add real users or groups to each role before going live.

Combining RLS and OLS

Apply both RLS and OLS to the same roles so that row filters and object visibility are consistent. If you create separate roles for RLS and OLS, they do not combine—a user in an RLS-only role would still see all objects. Document which roles see which tables/columns for governance.

Need help with your migration?

Our team can help you design, build, and optimize your Power BI and Fabric solutions.

Get a free assessment

Ready to modernize your BI stack?

Stop maintaining legacy workbooks. Start leveraging the full power of the Microsoft Data Platform today.

Get a Free AssessmentView Case Studies