This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections:
Manage and secure Power BI (15–20%)
--> Secure and govern Power BI items
--> Configure Item-Level Access
Note that there are 10 practice questions (with answers and explanations) at the end of each topic. Also, there are 2 practice tests with 60 questions each available on the hub below all the exam topics.
Overview
Item-level access in Power BI controls who can access specific Power BI items—such as reports, dashboards, semantic models (datasets), and apps—and what actions they can perform on those items.
This topic is part of the Manage and secure Power BI (15–20%) exam domain and falls specifically under Secure and govern Power BI items, making it a critical governance concept for PL-300 candidates.
Unlike workspace roles (which define broad permissions across an entire workspace), item-level access allows more granular control over individual Power BI assets.
What Is Item-Level Access?
Item-level access refers to permissions assigned directly to individual Power BI items, independent of workspace roles. These permissions determine whether users can:
- View an item
- Share an item
- Build new content using an item
- Reshare or export data
- Modify or manage the item
Item-level access is commonly configured for:
- Reports
- Dashboards
- Semantic models (datasets)
- Apps (indirectly through audience access)
Why Item-Level Access Matters (Exam Perspective)
From a PL-300 standpoint, item-level access is important because it helps:
- Enforce principle of least privilege
- Enable self-service BI safely
- Separate content creation from content consumption
- Support enterprise governance without duplicating workspaces
Expect exam questions that test when to use item-level permissions instead of workspace roles, and how item-level access interacts with security features like RLS.
Configuring Item-Level Access by Item Type
1. Report-Level Access
Reports can be shared directly with users or groups.
Key capabilities:
- View report
- Share report (optional)
- Build new content (if underlying model allows it)
How it’s configured:
- Use the Share button on a report
- Assign access to users, security groups, or distribution lists
Important exam note:
Sharing a report does not automatically grant access to the underlying semantic model unless explicitly allowed.
2. Dashboard-Level Access
Dashboards are typically shared for executive or summary-level consumption.
Key characteristics:
- View-only by default
- No data modeling or editing
- Tiles link back to underlying reports (which require separate access)
Exam tip:
Users must also have access to the source reports behind dashboard tiles to avoid broken visuals.
3. Semantic Model (Dataset) Item-Level Access
Semantic models support some of the most important item-level permissions.
Key permissions:
- Read – view reports using the model
- Build – create new reports or analyze in Excel
- Reshare – share the dataset with others
Common use case:
- Grant Build permission to analysts so they can create their own reports without modifying the dataset.
Exam highlight:
The Build permission is essential for self-service BI scenarios and is frequently tested.
4. App Access (Audience-Based)
Apps use audiences to control item-level visibility.
What audiences allow you to do:
- Show different content to different user groups
- Hide specific reports or dashboards
- Control navigation and access without duplicating content
Best practice:
- Use Azure AD security groups for app audiences.
Item-Level Access vs Workspace Roles
| Feature | Workspace Roles | Item-Level Access |
|---|---|---|
| Scope | Entire workspace | Individual items |
| Granularity | Coarse | Fine-grained |
| Best for | Content creators/admins | Consumers & self-service |
| Exam focus | Governance | Security precision |
Key exam takeaway:
Workspace roles control what users can do, while item-level access controls what items they can access.
Item-Level Access and Row-Level Security (RLS)
These two are often confused on the exam.
- Item-level access controls access to content
- RLS controls data visibility within content
They are complementary, not interchangeable.
Example scenario:
- Item-level access → Can the user open the report?
- RLS → What rows of data does the user see after opening it?
Best Practices for Configuring Item-Level Access
- Use Azure AD security groups instead of individuals
- Grant Build permission carefully
- Avoid oversharing datasets
- Combine item-level access with RLS for data security
- Prefer apps and audiences for large-scale distribution
Common Exam Traps to Watch For
- Assuming report sharing grants dataset access automatically
- Confusing workspace roles with item permissions
- Forgetting that dashboard tiles require report access
- Overlooking Build permission in self-service scenarios
Summary for PL-300 Exam Readiness
To succeed on PL-300 questions about item-level access, you should be able to:
✔ Identify when item-level access is required
✔ Configure permissions for reports, dashboards, and datasets
✔ Understand Build vs Read permissions
✔ Explain how item-level access differs from workspace roles
✔ Combine item-level access with RLS appropriately
Practice Questions
Go to the Practice Questions for this topic.
The Data Community 