Skip to main content

Secure a tabular model

Tabular models can be secured directly from Data Hub. Roles, role members, and row-level filters are managed on the model in Data Hub and deployed to your tabular server (Azure Analysis Services or Power BI) when the model is processed.

This page covers:

  • Running analytics under the logged-in user's identity, so server-side roles take effect.
  • Creating roles and adding members, including Microsoft Entra ID users and groups.
  • Limiting data with DAX table filter expressions (row-level security).
  • Testing roles before users see them.
note

This page covers tabular models. For multidimensional cube security, see Secure your semantic layer and the Model roles reference.

How tabular security works

There are two layers of security to consider:

  • Server-side roles define what each user can see. Roles are deployed to your tabular server when the model is processed, including any DAX row-level filter expressions you have set.

  • User impersonation ensures Data Hub queries the tabular server as the logged-in Data Hub user, rather than always as the service account that owns the model server connection. Without impersonation the server cannot apply the right role to each user.

You configure both on the model server resource in Data Hub.

Enable cube security

When Enable cube security is selected on a tabular model server, Data Hub queries the server as the logged-in Data Hub user. The user's email address (UPN) is used to identify them on the tabular server, and the server applies whichever role(s) the user belongs to.

To enable cube security:

  1. Open the model server resource in Data Hub.

  2. In the Analysis Services Connection section, select Enable cube security.

  3. Save the model server.

note
  • New tabular model servers have Enable cube security selected by default.
  • Tabular model servers that existed before upgrading to 2026.3 have Enable cube security cleared by default, to preserve existing behaviour. Select it when you are ready for users to be filtered by their server-side roles.
  • The service account used to connect Data Hub to the tabular server must be authorized to impersonate other users on that server.

Troubleshooting cube security

  • Users see all data, even with cube security enabled. Check that the model server's service account is authorized to impersonate other users on the tabular server.
  • A user gets an error mentioning a missing email address. Add an email address to that user's Data Hub account.
  • A guest user sees more data than expected. Guest users always bypass impersonation and run as the model server's service account. Either restrict the service account's role on the tabular server, or use a non-guest account for that user.