How to Use Row Level Security in Power BI: Step-by-Step Guide
In Power BI, use
Row Level Security (RLS) to restrict data access by defining roles with filters on tables. You create roles in Power BI Desktop using DAX filter expressions, then publish the report and assign users to these roles in the Power BI Service.Syntax
Row Level Security in Power BI is defined by creating roles with DAX filter expressions that limit data rows visible to users. The main syntax involves writing a DAX filter on a table, for example:
[ColumnName] = "Value"filters rows where the column matches a value.- Use functions like
USERNAME()orUSERPRINCIPALNAME()to filter data dynamically based on the logged-in user.
These filters are applied when a user views the report, restricting data accordingly.
DAX
Role Filter Example:
[Region] = "West"
Dynamic User Filter Example:
[SalesPersonEmail] = USERPRINCIPALNAME()Example
This example shows how to create a role that restricts data to only show sales for the logged-in user based on their email.
plaintext
1. In Power BI Desktop, go to Modeling > Manage Roles. 2. Create a new role named "SalesPersonRole". 3. Select the Sales table. 4. Enter the DAX filter: [SalesPersonEmail] = USERPRINCIPALNAME() 5. Save the role. 6. Use "View as Roles" to test the role. 7. Publish the report to Power BI Service. 8. In Power BI Service, assign users to "SalesPersonRole" under dataset security settings.
Output
When a user assigned to SalesPersonRole opens the report, they see only sales rows where their email matches [SalesPersonEmail].
Common Pitfalls
- Not testing roles before publishing: Always use "View as Roles" in Power BI Desktop to verify filters work as expected.
- Incorrect DAX filter syntax: Filters must be valid DAX expressions; missing quotes or wrong column names cause errors.
- Forgetting to assign users to roles in Power BI Service: Defining roles alone does not restrict access until users are assigned.
- Using USERNAME() instead of USERPRINCIPALNAME(): USERNAME() returns domain\username which may not match your data; USERPRINCIPALNAME() returns email and is more reliable.
DAX
Wrong filter example: [SalesPersonEmail] = USERNAME() // May not match email format Correct filter example: [SalesPersonEmail] = USERPRINCIPALNAME()
Quick Reference
| Step | Action | Notes |
|---|---|---|
| 1 | Create roles in Power BI Desktop | Use Modeling > Manage Roles with DAX filters |
| 2 | Test roles with View as Roles | Verify data is filtered correctly |
| 3 | Publish report to Power BI Service | Upload your PBIX file |
| 4 | Assign users to roles in Power BI Service | Set dataset security to restrict access |
| 5 | Users view report with restricted data | Data is filtered based on assigned roles |
Key Takeaways
Define roles with DAX filters in Power BI Desktop to restrict data rows.
Use USERPRINCIPALNAME() for dynamic user-based filtering.
Always test roles using 'View as Roles' before publishing.
Assign users to roles in Power BI Service to enforce security.
Row Level Security controls data visibility without changing report design.