11.2 Sensitivity Labels, Item Access, and Governance
Key Takeaways
- Sensitivity labels (from Microsoft Purview) classify data as Public, Internal, Confidential, or Highly Confidential.
- Labels can enforce encryption, watermarks, and export restrictions on Power BI content.
- Item-level access controls sharing permissions for individual reports and semantic models.
- Semantic model permissions (Build, Read, Reshare) control who can create reports from a dataset.
- Data lineage view shows the flow of data from source through datasets to reports and dashboards.
Sensitivity Labels, Item Access, and Governance
Quick Answer: Sensitivity labels classify Power BI content (Public, Confidential, etc.) and can enforce encryption and export restrictions. Item-level access controls who can view or build on specific content. Semantic model permissions (Build, Read, Reshare) determine who can create reports from a published dataset. Data lineage tracks data flow from source to consumer.
Sensitivity Labels
What are Sensitivity Labels?
Sensitivity labels are classifications from Microsoft Purview (formerly Microsoft Information Protection) that can be applied to Power BI content:
| Label | Description | Typical Enforcement |
|---|---|---|
| Public | No restrictions | None |
| General | Internal business data | Basic protection |
| Confidential | Sensitive business data | Encryption, limited sharing |
| Highly Confidential | Most sensitive data | Strict encryption, no external sharing |
Applying Sensitivity Labels
Report/Dataset → Settings → Sensitivity Label → Select label
Or in Power BI Desktop:
Home tab → Sensitivity → Select label
Label Inheritance
Sensitivity labels propagate downstream:
- A dataset labeled "Confidential" → reports built on it inherit "Confidential"
- Reports labeled "Confidential" → exports (PDF, Excel) carry the label
- Downstream content inherits the most restrictive label
Label Enforcement
| Enforcement | Description |
|---|---|
| Encryption | Encrypts exported files (PDF, Excel, PowerPoint) |
| Watermarks | Adds visual watermarks to exported documents |
| Export restrictions | Prevents or limits data export |
| Access restrictions | Limits who can view labeled content |
| Content marking | Header/footer text on exports |
Sensitivity Label Requirements
- Microsoft Purview must be configured by the tenant admin
- Labels are defined in the Microsoft Purview Compliance Portal
- Power BI admin must enable sensitivity labels in admin settings
- Users must be licensed for Microsoft Purview Information Protection
Item-Level Access
Report Access
| Permission | Capability |
|---|---|
| View | Can open and interact with the report |
| Reshare | Can share the report with others |
| Build | Can create new reports using the underlying dataset |
Configuring Item Access
Report → Share → Enter recipients → Select permissions (Reshare, Build)
Semantic Model (Dataset) Permissions
| Permission | Description |
|---|---|
| Read | Can view data through existing reports |
| Build | Can create new reports and connect to the dataset |
| Reshare | Can grant access to others |
| Write | Can modify the semantic model (rare) |
Managing Dataset Permissions
Dataset → More options → Manage Permissions
→ View who has access → Add/remove/modify permissions
Sharing and Access Flow
When you share a report:
- Recipient gets View access to the report
- Recipient gets Read access to the underlying dataset (automatic)
- If Allow recipients to share is checked, they get Reshare permission
- If Allow recipients to build content is checked, they get Build permission on the dataset
Data Lineage
Lineage View
Workspace → Lineage view (icon in workspace toolbar)
Lineage view shows:
- Data flow from sources → dataflows → datasets → reports → dashboards
- Connection dependencies
- Refresh status indicators
- Impact of changes to upstream content
Impact Analysis
Before modifying a dataset:
Dataset → More options → Impact Analysis
Shows:
- How many reports depend on the dataset
- How many dashboards are affected
- How many users will be impacted
- Which workspaces contain dependent content
Use cases:
- Before renaming columns or changing data types
- Before removing tables from a dataset
- Before changing relationships
- Before deprecating a data source
Data Protection Metrics
Admin Portal → Protection Metrics:
- How many items have sensitivity labels
- Label distribution across the organization
- Export activity for labeled content
- Label changes over time
Governance Best Practices
- Apply sensitivity labels to all datasets and reports at creation
- Use certified datasets as single sources of truth
- Configure Build permissions to control who can create content from datasets
- Review lineage before making changes to shared datasets
- Enable label inheritance so downstream content inherits protection
- Use security groups for access management instead of individual users
- Monitor with admin APIs to track usage and compliance
- Implement deployment pipelines for controlled content promotion (dev → test → prod)
Deployment Pipelines
Deployment pipelines provide controlled promotion of content through stages:
| Stage | Purpose |
|---|---|
| Development | Active development and testing |
| Test | UAT and validation |
| Production | Live content for end users |
Deploying Between Stages
Deployment Pipeline → Compare stages → Deploy to next stage
→ Review changes → Confirm deployment
Benefits:
- Prevents accidental changes to production
- Enables testing before release
- Provides audit trail of changes
- Supports parameter rules for environment-specific settings (different server/database per stage)
On the Exam
The PL-300 frequently tests:
- Understanding sensitivity label inheritance and enforcement
- Configuring item-level and dataset permissions (Build, Read, Reshare)
- Using lineage view and impact analysis before making changes
- Knowing which permissions are needed for different user actions
- Understanding deployment pipeline stages and their purpose
A dataset is labeled "Confidential" in the Power BI Service. A user creates a new report from this dataset. What sensitivity label does the new report inherit?
A user needs to create their own reports using a published semantic model but should NOT be able to share it with others. Which permissions should you grant?
Before renaming a column in a shared dataset, you want to understand how many reports and users will be affected. Which feature should you use?