This post is a part of the DP-600: Implementing Analytics Solutions Using Microsoft Fabric Exam Prep Hub; and this topic falls under these sections:
Maintain a data analytics solution
--> Implement security and governance
--> Implement row-level, column-level, object-level, and file-level access control
To Do:
Complete the related module for this topic in the Microsoft Learn course: Secure data access in Microsoft Fabric
Security and governance are foundational responsibilities of a Fabric Analytics Engineer. Microsoft Fabric provides multiple layers of access control to ensure users can only see and interact with the data they are authorized to access. For the DP-600 exam, it is important to understand what each access control type does, where it is applied, and when to use it.
1. Row-Level Security (RLS)
What it is
Row-Level Security (RLS) restricts access to specific rows in a table based on the identity or role of the user querying the data.
Where it is implemented
- Power BI semantic models (datasets)
- Direct Lake or Import models in Fabric
- Applies at query time
How it works
- You define DAX filter expressions on tables.
- Users are assigned to roles, and those roles determine which rows are visible.
- The filtering is enforced automatically whenever the model is queried.
Common use cases
- Sales users see only their assigned regions
- Managers see only their department’s data
- Multi-tenant reporting scenarios
Exam tips
- RLS filters rows, not columns
- RLS is evaluated dynamically based on user context
- Know the difference between static RLS (hard-coded filters) and dynamic RLS (based on USERPRINCIPALNAME or lookup tables)
2. Column-Level Security (CLS)
What it is
Column-Level Security (CLS) restricts access to specific columns within a table, preventing sensitive fields from being exposed.
Where it is implemented
- Power BI semantic models
- Defined within the model, not in reports
How it works
- Columns are marked as hidden for certain roles
- Users in those roles cannot query or visualize the restricted columns
Common use cases
- Hiding personally identifiable information (PII)
- Restricting access to salary, cost, or confidential metrics
Exam tips
- CLS does not hide entire rows
- Users without access cannot bypass CLS using visuals or queries
- CLS is evaluated before data reaches the report layer
3. Object-Level Security (OLS)
What it is
Object-Level Security (OLS) controls access to entire objects within a semantic model, such as:
- Tables
- Columns
- Measures
Where it is implemented
- Power BI semantic models in Fabric
- Typically managed using external tools or advanced model editing
How it works
- Objects are explicitly denied to specific roles
- Denied objects are completely invisible to the user
Common use cases
- Hiding technical or staging tables
- Preventing access to internal calculation measures
- Supporting multiple audiences from the same model
Exam tips
- OLS is stronger than CLS (objects are invisible, not just hidden)
- OLS affects metadata discovery
- Users cannot query objects they do not have access to
4. File-Level Access Controls
What it is
File-level access control governs who can access files stored in OneLake, including:
- Lakehouse files
- Warehouse data
- Files accessed via notebooks or Spark jobs
Where it is implemented
- OneLake
- Workspace permissions
- Underlying Azure Data Lake Gen2 permission model
How it works
- Permissions are assigned at:
- Workspace level
- Item level (Lakehouse, Warehouse)
- Folder or file level (where applicable)
- Uses role-based access control (RBAC)
Common use cases
- Restricting raw data access to engineers only
- Allowing analysts read-only access to curated zones
- Enforcing separation between development and production data
Exam tips
- File-level security applies before data reaches semantic models
- Workspace roles (Admin, Member, Contributor, Viewer) matter
- OneLake follows a centralized storage model across Fabric workloads
Key Comparisons to Remember for the Exam
| Security Type | Scope | Enforced At | Typical Use |
| Row-Level (RLS) | Rows | Query time | User-specific data filtering |
| Column-Level (CLS) | Columns | Model level | Protect sensitive fields |
| Object-Level (OLS) | Tables, columns, measures | Model metadata | Hide entire objects |
| File-Level | Files and folders | Storage/workspace | Control raw and curated data access |
How This Fits into Fabric Governance
In Microsoft Fabric, these access controls work together:
- File-level security protects data at rest
- Object-, column-, and row-level security protect data at the semantic model layer
- Workspace roles govern who can create, modify, or consume items
For the DP-600 exam, expect scenario-based questions that test:
- Choosing the right level of security
- Understanding where security is enforced
- Knowing limitations and interactions between security types
Final Exam Tips
If the question mentions who can see which data values, think RLS or CLS.
If it mentions who can see which objects, think OLS.
If it mentions access to files or raw data, think file-level and workspace permissions.
DP-600 Exam Strategy Notes
- Security evaluation order (exam favorite):
- Workspace access
- Item-level access
- Object-level security
- Column-level security
- Row-level security
- Use:
- RLS → Who sees which rows?
- CLS → Who sees which columns?
- OLS → Who sees which tables/measures?
- File-level → Who sees which files?
Practice Questions
Question 1 (Single choice)
Which access control mechanism restricts which rows of data a user can see in a semantic model?
A. Column-level security
B. Object-level security
C. Row-level security
D. Item-level access
Correct Answer: C
Explanation:
- Row-level security (RLS) filters rows dynamically based on user identity.
- CLS restricts columns, OLS restricts objects, and item-level controls access to the artifact itself.
Question 2 (Scenario-based)
A sales manager should only see sales data for their assigned region across all reports. Which solution should you implement?
A. Column-level security
B. Row-level security with dynamic DAX
C. Object-level security
D. Workspace Viewer role
Correct Answer: B
Explanation:
- Dynamic RLS uses functions like
USERPRINCIPALNAME()to filter rows per user. - Workspace roles do not filter data.
Question 3 (Multi-select)
Which security types are configured within a Power BI semantic model? (Select all that apply.)
A. Row-level security
B. Column-level security
C. Object-level security
D. File-level security
Correct Answers: A, B, C
Explanation:
- RLS, CLS, and OLS are semantic model features.
- File-level security applies to OneLake files, not semantic models.
Question 4 (Scenario-based)
You want to prevent users from seeing a Salary column but still allow access to other columns in the table. What should you use?
A. Row-level security
B. Object-level security
C. Column-level security
D. Item-level access
Correct Answer: C
Explanation:
- Column-level security hides specific columns from unauthorized users.
- RLS filters rows, not columns.
Question 5 (Single choice)
Which access control hides entire tables or measures from users?
A. Row-level security
B. Column-level security
C. Object-level security
D. File-level security
Correct Answer: C
Explanation:
- Object-level security (OLS) hides tables, columns, or measures completely.
- Users won’t even see them in the field list.
Question 6 (Scenario-based)
A user should be able to query a semantic model but must not see a calculated measure used only internally. Which control is BEST?
A. Column-level security
B. Object-level security
C. Row-level security
D. Workspace permission
Correct Answer: B
Explanation:
- OLS can hide measures entirely.
- CLS only applies to columns, not measures.
Question 7 (Multi-select)
Which scenarios require file-level access controls in Microsoft Fabric? (Select all that apply.)
A. Restricting access to specific Parquet files in OneLake
B. Limiting access to a lakehouse table
C. Controlling access to raw ingestion files
D. Filtering rows in a semantic model
Correct Answers: A, C
Explanation:
- File-level access applies to files and folders in OneLake.
- Table and row access are handled elsewhere.
Question 8 (Scenario-based)
A data engineer needs access to raw files in OneLake, but analysts should only see curated tables. What should you implement?
A. Row-level security
B. Column-level security
C. File-level access controls
D. Object-level security
Correct Answer: C
Explanation:
- File-level access ensures analysts cannot browse or access raw files.
- RLS and CLS don’t apply at the file system level.
Question 9 (Single choice)
Which security type is evaluated first when a user attempts to access data?
A. Row-level security
B. Column-level security
C. Item-level access
D. Object-level security
Correct Answer: C
Explanation:
- Item-level access determines whether the user can access the artifact at all.
- If denied, other security layers are never evaluated.
Question 10 (Scenario-based)
A user can access a report but receives an error when querying a table directly from the semantic model. What is the MOST likely cause?
A. Missing Row-Level Security role
B. Column-level security blocking access
C. Object-level security hiding the table
D. File-level security restriction
Correct Answer: C
Explanation:
- If OLS hides a table, it cannot be queried—even if reports still function.
- Reports may rely on cached or abstracted queries.
The Data Community 
One thought on “Implement Row-Level, Column-Level, Object-Level, and File-Level Access Controls in Microsoft Fabric”