1 min read
Power BI Row-Level Security: Data Access Control
I wrote “Power BI Row-Level Security: Data Access Control” to share practical, production-minded guidance on this topic.
Defining Roles
In Power BI Desktop, Modeling tab → Manage Roles:
// Region Manager role
// Filter: Sales table
[Region] = USERPRINCIPALNAME()
// Or with a security table lookup
[Region] IN
VALUES(FILTER(
'UserRegionMapping',
'UserRegionMapping'[UserEmail] = USERPRINCIPALNAME()
)[Region])
Dynamic RLS Pattern
Security table approach for flexibility:
-- UserPermissions table
CREATE TABLE UserPermissions (
UserEmail VARCHAR(256),
Region VARCHAR(50),
Department VARCHAR(50)
);
INSERT INTO UserPermissions VALUES
('alice@company.com', 'North', 'Sales'),
('bob@company.com', 'South', 'Sales'),
('charlie@company.com', 'ALL', 'Executive');
// DAX Filter on Sales table
VAR CurrentUser = USERPRINCIPALNAME()
VAR UserRegions =
CALCULATETABLE(
VALUES('UserPermissions'[Region]),
'UserPermissions'[UserEmail] = CurrentUser
)
RETURN
IF(
"ALL" IN UserRegions,
TRUE(),
[Region] IN UserRegions
)
Testing Roles
In Desktop: Modeling → View as Roles → Select role → Enter email to test
Publishing and Assigning
- Publish to Power BI Service
- Dataset Settings → Security
- Assign users/groups to roles
# Using Power BI REST API
$body = @{
identities = @(
@{
username = "alice@company.com"
roles = @("Regional Manager")
}
)
}
Invoke-PowerBIRestMethod -Url "datasets/$datasetId/users" -Method POST -Body ($body | ConvertTo-Json)
Common Pitfalls
- USERPRINCIPALNAME() returns blank in Desktop - use test mode
- Service accounts - RLS applies to interactive users, not service principals by default
- Performance - Complex RLS filters can slow queries
RLS enables true multi-tenancy in Power BI, where one dataset serves many users with appropriate data isolation.\n\n## Takeaways\n\nAdd a concise, personal takeaway and recommended next steps here.\n