Power BI And Row Level Security
Row-Level Security (RLS) in Power BI restricts data access at the row level based on user identity, ensuring that each user only sees the data they are authorized to view. For enterprise organizations handling sensitive financial, healthcare, or customer data, RLS is a non-negotiable security control that enables single-dataset architectures while enforcing granular access policies.
Understanding Row-Level Security Fundamentals
RLS works by applying DAX filter expressions to model tables at query time. When a user opens a report, Power BI evaluates the user's role membership and applies the corresponding filter expressions, effectively hiding rows that don't match the security predicate.
- Static RLS – Roles with hardcoded filter expressions (e.g., [Region] = "West") assigned to specific users or groups
- Dynamic RLS – Roles using DAX functions like USERPRINCIPALNAME() or USERNAME() to automatically filter data based on the logged-in user's identity
- Role definitions – Created in Power BI Desktop using the Modeling tab, roles contain one or more table filter expressions evaluated as Boolean DAX predicates
- Role assignment – After publishing to the Power BI Service, roles are assigned to Azure AD users or security groups through dataset security settings
- Filter propagation – RLS filters propagate through relationships, meaning a filter on a dimension table automatically restricts related fact table rows
Implementing Static Row-Level Security
Static RLS is the simplest implementation pattern, ideal for scenarios where user access maps to fixed data segments such as regional teams, departments, or business units.
-- Step 1: Create roles in Power BI Desktop -- Modeling > Manage Roles > New Role -- Role: "West Region" -- Table filter on DimGeography: [Region] = "West" -- Role: "East Region" -- Table filter on DimGeography: [Region] = "East" -- Role: "Finance Department" -- Table filter on DimDepartment: [Department] = "Finance"
- Create one role per access segment (region, department, business unit)
- Apply filter expressions to dimension tables and let relationship propagation handle fact tables
- After publishing, assign Azure AD security groups to each role for scalable management
- Users assigned to multiple roles receive the union of all role filters (additive, not restrictive)
Implementing Dynamic Row-Level Security
Dynamic RLS is the enterprise-preferred approach because it scales automatically as users and data change. Instead of creating dozens of static roles, a single dynamic role uses DAX to look up the current user's access permissions from a security mapping table.
-- Step 1: Create a security mapping table
-- UserSecurity table with columns:
-- UserEmail, Region, Department
-- Step 2: Create a single dynamic role
-- Role: "DynamicAccess"
-- Table filter on UserSecurity:
[UserEmail] = USERPRINCIPALNAME()
-- Step 3: Establish relationships
-- UserSecurity[Region] -> DimGeography[Region] (many-to-many)
-- OR use LOOKUPVALUE pattern:
-- Table filter on DimGeography:
[Region] IN
SELECTVALUES (
UserSecurity[Region],
UserSecurity[UserEmail] = USERPRINCIPALNAME()
)- Security mapping table – Maintain a table mapping user email addresses to their authorized data segments (regions, departments, cost centers)
- USERPRINCIPALNAME() – Returns the Azure AD UPN of the current user, enabling automatic identity-based filtering
- Manager hierarchy – Implement parent-child hierarchies in the security table to allow managers to see their direct reports' data
- Multi-segment access – Users with multiple rows in the security table automatically receive access to all their authorized segments
Testing and Validating RLS Configurations
Thorough testing is critical before deploying RLS to production. Power BI provides built-in tools for validating that security filters work correctly for every role and user combination.
- View as Role (Desktop) – In Power BI Desktop, use Modeling > View as > select a role to preview the report with that role's filters applied
- View as Role with Other User – Combine role selection with a specific UPN to test dynamic RLS for a particular user
- DAX Studio testing – Use DAX Studio to execute queries against the published dataset with specific user identity context to verify filter results
- Test matrix documentation – Create a test matrix documenting expected results for each user/role combination and validate systematically
- Performance testing – Verify that RLS filters do not degrade query performance by comparing execution times with and without RLS active
- Cross-filter validation – Ensure RLS filters propagate correctly through all relationship chains, especially in star and snowflake schemas
Enterprise RLS Architecture Patterns
Large organizations often require RLS architectures that accommodate complex security requirements such as hierarchical access, multi-tenant isolation, and compliance-driven data boundaries.
- Hierarchical RLS – Use PATH() and PATHCONTAINS() DAX functions to implement org-chart-based access where managers see their entire reporting chain
- Multi-tenant datasets – Serve multiple client organizations from a single Power BI dataset with tenant-level row isolation using dynamic RLS
- Hybrid static/dynamic – Combine static roles for broad categories (e.g., "External User") with dynamic roles for fine-grained internal access
- Object-level security (OLS) – Complement RLS with OLS to hide entire tables or columns from specific roles, preventing access to sensitive fields like salary or SSN
- Composite models – When using DirectQuery or composite models, RLS filters are pushed to the data source as WHERE clauses, requiring corresponding database-level permissions
Why Choose EPC Group for Power BI Security
EPC Group has implemented row-level security for Fortune 500 organizations across healthcare (HIPAA), financial services (SOC 2), and government (FedRAMP) — industries where unauthorized data access can result in regulatory penalties and reputational damage. With 28+ years as a Microsoft Gold Partner and 4 bestselling Microsoft Press books authored by our founder Errin O'Connor, we bring unmatched expertise in designing security architectures that protect sensitive data without sacrificing report usability.
- Compliance-driven RLS design for HIPAA, SOC 2, GDPR, and FedRAMP environments
- Dynamic RLS implementation for organizations with complex org hierarchies and multi-region access
- Performance-optimized security patterns validated against enterprise datasets with billions of rows
- Security audit and remediation services for existing Power BI deployments
Secure Your Power BI Data with Enterprise-Grade RLS
Let EPC Group's Power BI security experts design and implement row-level security that meets your compliance requirements while providing seamless user experiences.
Frequently Asked Questions
Does RLS work with Power BI Embedded?
Yes. Power BI Embedded supports RLS through the embed token API. When generating an embed token, you specify the role and identity (username) that should be applied. This is especially important for ISV scenarios where external customers access embedded reports — the application passes the customer's identity to Power BI, which applies the appropriate RLS filters before rendering the report.
Can I use RLS with DirectQuery models?
Yes. RLS works with Import, DirectQuery, and composite models. With DirectQuery, the RLS filter expressions are translated into SQL WHERE clauses and pushed to the data source at query time. This means the database user account used by the DirectQuery connection must have read access to all data, while Power BI handles the row-level filtering. For sensitive environments, consider using single sign-on (SSO) DirectQuery to pass the end-user's identity to the database.
What happens if a user is not assigned to any RLS role?
If RLS roles exist on a dataset but a user is not assigned to any role, that user cannot see any data in reports built on that dataset. They will see empty visuals with no error message. The exception is dataset owners and workspace admins who bypass RLS entirely and always see all data, which is why admin access should be tightly controlled in compliance-sensitive environments.
How do I manage RLS for thousands of users?
Use dynamic RLS with Azure AD security groups. Instead of assigning individual users to roles, assign security groups and manage membership through Azure AD. Combine this with a security mapping table in your data model that links security group identifiers or user emails to data access segments. EPC Group typically automates this using Power Automate flows that synchronize HR system data with the security mapping table on a daily schedule.
Does RLS impact report performance?
RLS can impact performance depending on the complexity of your filter expressions and data model size. Simple equality filters (e.g., [Region] = "West") have minimal impact. Complex filters with PATHCONTAINS, LOOKUPVALUE, or cross-table references add overhead. Best practices include: keeping security mapping tables small and indexed, using integer keys instead of string comparisons, avoiding nested CALCULATE in RLS expressions, and testing performance with DAX Studio before deployment.
Related Resources
Continue exploring power bi insights and services