Overview of the Video
In a concise YouTube walkthrough, Pragmatic Works presenter Greg Trzeciak demonstrates how to implement Object-Level Security quickly inside Power BI Desktop using the TMDL script view. The tutorial claims to enable table and column security in under five minutes, and it targets users who previously relied on external tools like Tabular Editor or XMLA endpoints. The presenter emphasizes that this workflow works directly in the model metadata, reducing tool dependencies and simplifying a common security task.
Step-by-Step Demonstration
Greg begins by creating an empty role within the model as the starting point for applying permissions. Then he opens the TMDL script view and edits the role definition to add table and column permissions that block access to a sensitive column labeled "Region." After applying the script changes to the model, he uses Power BI's "View as" feature to test the role and show that the secured column is effectively removed from visuals.
Why This Approach Matters
This technique is notable because it brings Object-Level Security capability inside the native Power BI authoring experience without requiring external editors. As a result, teams that work in Fabric-connected environments or follow modern semantic model workflows can adopt OLS more readily. Moreover, applying OLS at the model metadata level means the permission changes apply before row filters, minimizing unintended data exposure in shared reports.
Tradeoffs and Practical Considerations
While editing the TMDL script view removes the need for third-party tools, it introduces tradeoffs in maintainability and error risk. On one hand, keeping everything inside Power BI Desktop simplifies small-scale deployments and ad hoc fixes, but on the other hand, script edits can be error-prone for complex models and may lack the advanced validation and batch-change features that tools like Tabular Editor offer. Teams must weigh ease of use against the need for automation, version control, and repeatable deployments in larger environments.
Challenges in Implementation
Implementing OLS via the script view also presents governance and testing challenges. For example, managing many role definitions in a large organization can become unwieldy without a standard process, and script-based edits require careful testing to avoid breaking visuals or calculations. Additionally, some deployment scenarios still rely on XMLA endpoints or CI/CD pipelines, so organizations that need automated lifecycle management should plan how script edits fit into existing workflows.
Performance and Security Impacts
From a performance perspective, OLS applies at query compile time, which helps avoid extra runtime filtering and can be more efficient than relying on row filters alone. However, removing objects from a model can also change report behavior in ways that users may not expect, such as visuals breaking when a secured column disappears. Therefore, authors should balance security needs against user experience by documenting expected changes and testing reports after permission updates.
Best Practices for Teams
To reduce risk, teams should adopt disciplined testing and versioning when editing model scripts. Using staging workspaces and validating changes with the "View as" feature helps ensure that permission edits produce the intended results before they reach production. Furthermore, integrating OLS with existing governance measures—like sensitivity labeling, managed identities, and logging—strengthens protection and auditing.
When to Use Script-Based OLS
Script-based OLS in the TMDL view works well for quick fixes, small models, or teams that need an immediate way to hide sensitive columns without adding new tooling. Conversely, organizations that require repeatable deployments, fine-grained automation, or large-scale role management may prefer to keep using specialized tools and CI/CD practices. In short, the script approach gives teams another option, but it is not a one-size-fits-all replacement.
Key Takeaways
Pragmatic Works’ video demonstrates a practical method to define object permissions inside Power BI Desktop in minutes, showing clear proof when columns become inaccessible and visuals break accordingly. It highlights a shift toward native model metadata control that can simplify workflows while raising considerations about maintainability, testing, and automation. Ultimately, teams should evaluate this approach against their size, governance needs, and existing deployment pipelines before adopting it widely.
Looking Ahead
As semantic modeling in Power BI and Fabric continues to evolve, techniques like script-based OLS editing will likely become part of the broader toolkit for protecting sensitive data. Meanwhile, practitioners should follow best practices for testing and governance and decide whether a lightweight, in-desktop approach meets their long-term needs. With careful planning, the tactic shown in the video can streamline security for many common scenarios while still leaving room for mature automation when required.
