Row-Level Security, or RLS, in Power BI is a technique used to restrict data access for specific users based on filters applied at the row level. Essentially, it ensures that users only see the data relevant to them when they view reports or dashboards.
In one of my previous projects for a retail client, we had multiple regional managers — North, South, East, and West — but a single Power BI report. Each manager should only see data for their region. Instead of creating separate reports, I implemented RLS.
Here’s how I approached it:
First, in Power BI Desktop, I went to the Modeling tab → Manage Roles, and created a new role called RegionalManager. Then, I applied a DAX filter on the Region column like this:
[Region] = USERPRINCIPALNAME()
However, in real scenarios, this usually requires a mapping table. So, I created a UserRegionMapping table that had the user’s email and the corresponding region. Then I used a relationship between that mapping table and the main Sales table. The filter expression was:
[Region] = RELATED(UserRegionMapping[Region])
This way, when a user logs into the Power BI Service, their email is matched using USERPRINCIPALNAME(), and only their region’s data is visible.
One challenge I faced was testing RLS before publishing. Power BI Desktop allows you to test roles using the View as Role feature, but it doesn’t perfectly replicate how Azure Active Directory authentication behaves in the Service. So, after publishing, I had to validate each user’s access in the Power BI Service workspace.
A limitation is that RLS applies only to imported and DirectQuery datasets, not to reports using live connections to some external Analysis Services models — in those cases, RLS has to be defined at the source level.
As an alternative, for larger enterprises where access rules are more complex or hierarchical, I sometimes recommend using Dynamic RLS with user-attribute tables stored in a data warehouse. This approach scales better and makes maintenance easier when user roles or departments frequently change.