Row Level Security (RLS) lets you control which rows of data each user sees when they open a Power BI report — without building separate reports for every team or region.
Your North region manager sees North data. Your South manager sees South data. Your CEO sees everything. One report, automatic filtering, zero manual maintenance.
There are two types of RLS:
| Type | How it works | Best for |
|---|---|---|
| Static RLS | Hardcoded DAX filter per role | Small, fixed teams |
| Dynamic RLS | Filters by the logged-in user’s email | Large or changing teams |
Part 1 — Static RLS
Step 1: Create a Role
In Power BI Desktop, go to Modeling → Manage Roles → Create. Name your role — for example, North Region.
Step 2: Add a DAX Filter
Select your table (e.g. Sales) and enter a filter expression:
[Region] = "North"
Anyone assigned to this role will only see rows where Region equals “North”. Repeat for each region you need.
Step 3: Test It
Click Modeling → View as, select your role, and confirm the report shows only the expected data. Click Stop viewing when done.
Part 2 — Dynamic RLS
Static RLS breaks down when you have many users. Creating 50 roles for 50 salespeople is impractical. Dynamic RLS handles this automatically using the logged-in user’s email address.
Step 1: Create a Security Mapping Table
Build a table that maps each user’s email to what they can see:
| Region | |
|---|---|
| alice@company.com | North |
| bob@company.com | South |
| carol@company.com | East |
Import this into Power BI. Call it UserSecurity.
Step 2: Create the Relationship
In Model view, connect UserSecurity[Region] to Sales[Region] with a single-direction filter flowing from UserSecurity to Sales.
Step 3: Create the Dynamic Role
Go to Manage Roles → Create. Select the UserSecurity table and add this filter:
[Email] = USERPRINCIPALNAME()
This filters the security table to the logged-in user’s email, which automatically filters the related Sales table to only their allowed data.
Step 4: Test with a Specific User
Click View as → check “Other user” and enter a test email (e.g. alice@company.com). Confirm she only sees North region data.
Assigning Users in Power BI Service
Creating roles in Desktop is only half the job. You still need to assign real users in the Service.
- Open your workspace in app.powerbi.com
- Find your dataset → click the three dots ⋯ → Security
- Click a role name, type an email address, and click Add
- Click Test as role to verify it works live
For Dynamic RLS, add all users to the single dynamic role — the DAX expression handles the rest automatically.
Key Rules to Remember
Use USERPRINCIPALNAME() not USERNAME() — in Power BI Service, USERPRINCIPALNAME() returns the user’s email. USERNAME() returns a domain\username format that only works on-premises.
Always test before going live — use “View as” in Desktop and “Test as role” in the Service. Test edge cases: users with no matching row, users in multiple regions.
Keep your security table up to date — if you’re using Dynamic RLS, your mapping table needs to stay current. Host it in SharePoint or SQL so it can be updated without republishing the report.
RLS isn’t your only security layer — it secures the data within a report, but you still need to control who has access to the workspace and dataset itself.
Summary
| Step | What to do |
|---|---|
| 1 | Choose Static or Dynamic based on your team size |
| 2 | Create roles in Modeling → Manage Roles |
| 3 | Write DAX filter expressions |
| 4 | Test with “View as” in Desktop |
| 5 | Publish to Power BI Service |
| 6 | Assign users to roles in Dataset → Security |
| 7 | Verify with “Test as role” |
RLS is a must-have for any Power BI report shared across teams. Once you’ve set it up once, it becomes second nature.
Need help setting up RLS in your organisation? Book a free consultation with the Nova Analytics team.