Announcing Microsoft Purview Data Loss Prevention policies now support the restrict access action for semantic models
We’re very excited to announce that restricting access based on sensitive content for semantic models is now in public preview!
This follows the extension of DLP for Power BI to Fabric lakehouses earlier this year.
Purview Data Loss Prevention (DLP) policies for Fabric help you automatically detect sensitive information as it is uploaded into Fabric lakehouses and semantic models. DLP policies protect your organization’s sensitive data, reduce risk from oversharing, and prevent users from inappropriately sharing sensitive data with people who shouldn’t have it. Thus, helping you comply with government or industry regulations, such as European Union’s General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA).
With extending DLP policies for Fabric to include the restrict access action, compliance admins can configure policies that automatically detect sensitive information in semantic models and restrict access to internal users or to data owners. This is in addition to the DLP actions already supported today, such as auditing, alerts, and custom policy tips surfaced within the Fabric platform.
This capability is especially valuable when your tenant consists of guest users, and you want to enforce further control to ensure guest users do not accidentally access internal proprietary information. Once a restrict access rule is enforced, any user who previously had access to the semantic model and its downstream items (such as reports or dashboards) will lose permissions and will not be able to access the semantic model or view its data within the reports built on top of it. Users with access who attempt to share the report will not be able to bypass the restriction, and a user whose access was revoked by the restrict access action will remain blocked.
To help visualize how this capability takes effect within Fabric: let’s assume that semantic model ‘Flight Customer Information’ is visible by User A – the data owner of this semantic model, and by User B – a guest user in the tenant.
When sensitive information is detected within the semantic model and restrict access is enforced, User B, the guest user, will not be able to view the restricted semantic model (as seen in the image above). Moreover, any reports built on top of it will be marked with a DLP indication, now taking the form of access blocked (replacing the gray icon for policy evaluation results that do not enforce access), and the report icon itself will also convey that it is blocked from the user. The hover card will let User B know that this access loss occurred due to the detection of sensitive information.
For User A, the data owner who still has access to the data, a similar indication will appear, warning him that sensitive information has been found in the data and has blocked access for some of the users.
And just like all other DLP rules, a side panel will show the details of all the matched rules, allowing the data owner to override or report an issue where necessary:
With restrict access action for semantic models, compliance admins gain further control over the enforcement of access to the sensitive information in their tenant.
Note: Currently, there will be no charge for lakehouses and semantic models scanned by DLP policies. However, Microsoft Purview will be releasing a new pay-as-you-go consumption-based business model in January 2025, and once this is live, DLP policies will need to be acquired using the new model, as stated in this announcement.
We’re always happy to hear any comments or feedback you may have regarding data loss prevention in Fabric. For any suggestions, please fill out this form.
