Object-Level Security (OLS) vs Row-Level Security (RLS)
While RLS controls which rows users can see, Object-Level Security (OLS) controls which tables and columns are visible.
What is Object-Level Security (OLS)?
OLS restricts access to specific metadata objects — tables and columns — in the data model. Users with OLS restrictions cannot see or reference the restricted objects.
OLS vs RLS Comparison
| Feature | RLS (Row-Level Security) | OLS (Object-Level Security) |
|---|---|---|
| Controls | Which rows are visible | Which tables/columns are visible |
| Scope | Data filtering | Metadata hiding |
| Setup Location | Power BI Desktop + Service | Tabular Editor (external tool) |
| DAX Required | Yes (filter expressions) | No (configuration-based) |
| Use Case | Regional data access | Hiding sensitive columns |
| Example | Sales rep sees only their sales | HR can't see salary column |
| Performance Impact | Can slow queries (filter evaluation) | Minimal (metadata-level) |
| Combined Use | ✅ Can use both together | ✅ Can use both together |
When to Use OLS
| Scenario | Solution |
|---|---|
| Hide salary data from non-HR users | OLS on Salary column |
| Restrict access to a PII table | OLS on the entire table |
| Hide cost data from sales team | OLS on Cost column |
| Protect sensitive metrics | OLS on the column used in measures |
Setting Up OLS
OLS is configured using Tabular Editor (a free external tool for Power BI).
Steps:
- Download and install Tabular Editor (free version works)
- Open your model in Tabular Editor:
- From Power BI Desktop → External Tools → Tabular Editor
- Or connect directly to a published dataset
- Navigate to the table/column you want to restrict
- In the Properties pane:
- Find Object Level Security
- Assign None (full access) or Read (hidden) per role
- Save changes
OLS Permissions:
| Permission | Effect |
|---|---|
| None | Object is completely hidden — cannot be seen or referenced |
| Read | Object is visible and accessible |
OLS Behavior
When a table or column is restricted by OLS: • ❌ The object doesn't appear in the Fields pane • ❌ DAX measures referencing it return errors for restricted users • ❌ Visuals using the object show errors • ❌ Q&A queries about the object fail • ✅ Other users (with access) see everything normally
Combining RLS and OLS
You can use both RLS and OLS together for comprehensive security:
Example: • RLS: Sales reps see only their own region's data (row filtering) • OLS: Sales reps cannot see the "Cost" and "Margin" columns (column hiding)
Result: A sales rep sees: • ✅ Their region's sales data • ✅ Revenue column • ❌ Other regions' data (blocked by RLS) • ❌ Cost and Margin columns (blocked by OLS)
Limitations of OLS
• ❌ Can only be set up via Tabular Editor (not in Power BI Desktop UI) • ❌ Measures referencing restricted columns will error for restricted users • ❌ Cannot be tested in Power BI Desktop (only in Service) • ❌ Requires careful planning — hiding a column used by many visuals breaks those visuals • ❌ Not available in Power BI Desktop's built-in role management
Best Practices
• Use RLS for row-level data filtering (different users see different data) • Use OLS for column/table hiding (different users see different structure) • Combine both for comprehensive security • Plan OLS before building visuals — adding OLS later may break existing visuals • Create role-specific measures that don't reference OLS-restricted columns • Test thoroughly with different user accounts • Document which roles have access to which objects