Wiki Navigation

Security and Privacy

This page explains how to keep model work safe when using an LLM with the MCP server.

Why this matters (practical risks)

When you work with a semantic model through an LLM, query results flow through the chat. That means:

  • Customer names, emails, and phone numbers can appear in query outputs if you ask for row-level data.
  • Revenue figures and financial metrics show up in validation results - and anything in the chat could be copy-pasted or logged.
  • DAX and M expressions contain business logic that may be proprietary.

The safeguards below keep your work safe without making the assistant less useful.

Data minimization (the most important habit)

The single best practice: ask for aggregates, not raw rows. Instead of "show me the Sales table", ask for "monthly totals for the last 12 months". This keeps sensitive row-level data out of the chat entirely.

Masking (what it does in practice)

Masking replaces sensitive values in query results before they reach the chat. When enabled:

  • PII masking replaces names, emails, addresses, and similar text with placeholders - so "John Smith" becomes something like "[MASKED]" in the output.
  • Numeric masking replaces financial figures with representative but non-real numbers - so "12,345,678" becomes a different value that preserves the pattern but not the actual data.

This means you can validate query structure and business logic (the right columns, the right groupings, the right measure behavior) without exposing real values. It is especially useful when you paste results into tickets, PRs, or team chats.

Masking is off unless it is enabled by runtime preferences or deployment configuration, and it requires a tier that includes masking. Admins can also force-disable masking for a specific server process.

Recent builds also use model metadata to make masking less name-only:

  • PII masking recognizes common localized labels from the model culture, such as German, French, Spanish, and Czech customer/contact fields.
  • Long comments, notes, messages, and descriptions preserve safe text where possible while redacting high-confidence sensitive spans such as emails, phone numbers, cards, and IDs. By default, SemanticOps MCP can also redact obvious customer/contact-style names and addresses when context supports it.
  • Numeric masking keeps structural numbers useful where possible, such as date parts, keys, postal/reference codes, geography codes, and ratio-style percentages.
  • Numeric profile hints can also follow model culture, so regional reference-code labels are handled more consistently across non-US models.

Ask the LLM:

"Enable masking so query outputs are safe to share. Exclude specific tables/columns if needed."

Common safety prompts:

"Enable numeric masking; do not mask Date/Calendar tables." "Enable PII masking; exclude customer IDs from masking only if I explicitly ask." "Show me the current masking status and explain which tables or columns are explicitly excluded or forced."

Model annotations (force/exclude masking intent)

If your team wants masking intent to travel with the model itself, SemanticOps MCP also understands model annotations on tables and columns:

  • McpEngine_PiiMasking: force or exclude
  • McpEngine_NumericMasking: force or exclude

Practical use cases:

  • mark a sensitive table/column as always mask this
  • mark a structural/reference column as do not mask this

Important limits:

  • annotations do not enable masking by themselves; the matching masking toggle still has to be enabled
  • runtime preferences override annotations
  • annotations override the normal automatic masking behavior
  • exclusions win over force rules at the same or lower level

Logging discipline

Online formatting (DAX and Power Query M)

Optional formatting features may send code to external services. The assistant should ask for explicit consent when enabling formatting, and your org can disable these features centrally.

Ask the LLM:

“Do not use online formatters in this environment.”

If you do want formatting:

“Format DAX for readability, but confirm whether this uses an online service before doing it.”

Practical compliance prompt:

“Assume this is a regulated environment. Don’t send code or metadata to external services; proceed without online formatting.”

Governance controls (org-managed)

Organizations can restrict and govern behavior via:

  • server mode (full/read-only/browse-only),
  • policy rules (allow/deny/require confirmation),
  • centrally deployed policy bundles (lock writes to policy configuration).

If you’re unsure what applies, ask:

“Explain what governance controls are active in this environment.”

Browse-only environments

Sharing outputs (tickets/PRs)

See also