Ask Downloads
Domain 1 โ€” Module 2 of 7 29%
2 of 29 overall
Domain 1: Maintain a Data Analytics Solution Free โฑ ~14 min read

Row-Level & Object-Level Security

Control what data users see. RLS, CLS, OLS, and file-level security โ€” same report, different data per user.

Data-level security

Simple explanation

Think of a hospital records system. A nurse on cardiology sees heart patient records (row-level). The billing team sees billing columns but not clinical notes (column-level). Nobody knows the drug trial table exists (object-level).

Row-Level Security (RLS)

RLS filters rows based on user identity using a security mapping table:

-- Role: RegionalAccess โ€” filter on dim_store
[Region] IN
    SELECTCOLUMNS(
        FILTER(SecurityMapping, SecurityMapping[UserEmail] = USERPRINCIPALNAME()),
        "Region", SecurityMapping[Region]
    )

CLS vs OLS

CLS hides data; OLS hides the existence of data
FeatureColumn-Level (CLS)Object-Level (OLS)
Data visible?No โ€” returns blank/restrictedNo โ€” column/table hidden from metadata entirely
Column in field list?Yes โ€” users know it existsNo โ€” users do not know it exists
Measures referencing itReturn blank for restricted usersFAIL for restricted users
ConfigurationTabular Editor / XMLATabular Editor / XMLA
Question

What is RLS?

Click or press Enter to reveal answer

Answer

Row-Level Security filters rows based on user identity. Uses USERPRINCIPALNAME() and a security mapping table. Same report, different data per user.

Click to flip back
Question

What is the difference between CLS and OLS?

Click or press Enter to reveal answer

Answer

CLS hides column DATA but column still exists in metadata. OLS hides column/table from metadata entirely โ€” users do not know it exists. OLS is stricter: measures referencing OLS objects fail.

Click to flip back
Knowledge Check

Dr. Sarah needs cardiology doctors to see only cardiology patients. How?
Question

What does the USERPRINCIPALNAME() function do in RLS?

Click or press Enter to reveal answer

Answer

Returns the email address (UPN) of the current user querying the report. Used inside DAX filter expressions to dynamically match the logged-in user against a security mapping table, so each user sees only their permitted rows.

Click to flip back
Knowledge Check

Raj needs to hide a Salary column in a semantic model so non-HR users do not even know the column exists. Which security feature should he use?

Next up: Sensitivity Labels & Endorsement