Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! It's time to submit your entry. Live now!

Reply
rask
Frequent Visitor

Advanced RLS: Need to Bypass RLS for Single Report on Semantic Model with 20+ Existing Roles

‎09-09-2025 06:34 AM

GoalI need to allow a users to bypass all Row-Level Security (RLS) rules only when they are viewing a specific report. All existing RLS must remain fully enforced for the users when they are using any other report. All reports connect to a single semantic model

 

Description of the Current Architecture:

  • We have one central semantic model (dataset) published to the Power BI Service.

  • This model has over 20 distinct RLS roles. Users are often members of multiple roles.

  • Numerous reports are built on this single model, each inheriting its RLS rules.                                  

 

The Specific Challenge & What I've Tried:
The core problem is that RLS is applied at the dataset level, not the report level. I understand that a user who is a member of any role granting access to a row can see that row. This means simply adding a privileged user to a new bypass role would break their existing departmental restrictions across all reports, which is unacceptable. I have already investigated and ruled out the following:

  • TREAT AS/ CROSSFILTER in DAX measures: These cannot override filters applied by RLS, as RLS is applied before DAX calculations.

  • Creating a duplicate table in the model: This works technically but is not a feasible solution as it bloats the model and creates a maintenance nightmare.

  • Building a separate, unfiltered dataset: This is my last option. I am seeking a solution within the same semantic model for maintainability before pursuing this architectural split

Thank you for taking the time to read this. Any insights or alternative approaches would be appreciated.

Labels:
Message 1 of 9
611 Views
0
2 ACCEPTED SOLUTIONS
danextian
Super User
Super User

‎09-09-2025 11:33 PM

Hi @rask 

 

RLS is applied at the semantic model level so it isn't aware but report it is currently being used in. I've tried bypassing it by creating a disconnected table with a column containing values whether it is bypass rls or not and a condition to RLS. This didnt work.

IF (
    [Bypass?] = "Yes",
    TRUE (),
    [Email] = [current user] --replace with USERPRINCIPALNAME()
)

 Overwriting the fillter direction using CROSSFILTER didnt work as well.

 

Your alternative, if you want  to maintain "a" semantic model, is to disable RLS and apply the filter directly using measures.

Sales - pseudo-bypassed = 
VAR _bypass = SELECTEDVALUE ( Bypass[Bypass], "no" ) -- default to no
VAR _currentUser = [current user]
RETURN
    IF (
        _bypass = "yes",
        [Sales],
        CALCULATE ( [Sales], KEEPFILTERS ( Employee[Email] = _currentUser ) )
    )

danextian_0-1757485942689.gif

Ensure to hide the filter pane.

 

Please see the attached pbix. 





Dane Belarmino | Microsoft MVP | Proud to be a Super User!

Did I answer your question? Mark my post as a solution!


"Tell me and I’ll forget; show me and I may remember; involve me and I’ll understand."
Need Power BI consultation, get in touch with me on LinkedIn or hire me on UpWork.
Learn with me on YouTube @DAXJutsu or follow my page on Facebook @DAXJutsuPBI.

View solution in original post

bypass RLS.pbix
Message 5 of 9
494 Views
0
V-yubandi-msft
Community Support
Community Support

‎09-10-2025 03:31 AM

Hi @rask ,

Thank you for engaging with the Microsoft Fabric Community. In addition to the explanation above, I’ve also attached an official Microsoft article for your reference: Row-level security (RLS) with Power BI - Microsoft Fabric | Microsoft Learn

 

This document outlines how RLS works, its current limitations, and why it’s enforced at the semantic model level rather than the report level. It also clarifies why techniques like TREAT AS/ CROSSFILTER, or disconnected tables can’t override the RLS context.

 

Thankf for your response @danextian .

 

Hope this helps.

 

Regards,
Yugandhar

View solution in original post

Message 6 of 9
473 Views
0
8 REPLIES 8
V-yubandi-msft
Community Support
Community Support

‎09-19-2025 11:36 AM

Hi @rask ,
Could you let us know if your issue has been resolved or if you are still experiencing difficulties? Your feedback is valuable to the community and can help others facing similar problems.

Message 9 of 9
338 Views
0
V-yubandi-msft
Community Support
Community Support

‎09-16-2025 05:33 AM

Hi @rask ,
I wanted to follow up to see if your issue has been resolved or if you still need any assistance. If you need more information, feel free to let me know.

Thank you.

Message 8 of 9
355 Views
0
V-yubandi-msft
Community Support
Community Support

‎09-13-2025 03:15 AM

Hi @rask ,
Could you please confirm whether the issue has been resolved or if further assistance is needed? Your input is valuable and helps us improve support for similar cases.

Message 7 of 9
414 Views
0
V-yubandi-msft
Community Support
Community Support

‎09-10-2025 03:31 AM

Hi @rask ,

Thank you for engaging with the Microsoft Fabric Community. In addition to the explanation above, I’ve also attached an official Microsoft article for your reference: Row-level security (RLS) with Power BI - Microsoft Fabric | Microsoft Learn

 

This document outlines how RLS works, its current limitations, and why it’s enforced at the semantic model level rather than the report level. It also clarifies why techniques like TREAT AS/ CROSSFILTER, or disconnected tables can’t override the RLS context.

 

Thankf for your response @danextian .

 

Hope this helps.

 

Regards,
Yugandhar

Message 6 of 9
474 Views
0
danextian
Super User
Super User

‎09-09-2025 11:33 PM

Hi @rask 

 

RLS is applied at the semantic model level so it isn't aware but report it is currently being used in. I've tried bypassing it by creating a disconnected table with a column containing values whether it is bypass rls or not and a condition to RLS. This didnt work.

IF (
    [Bypass?] = "Yes",
    TRUE (),
    [Email] = [current user] --replace with USERPRINCIPALNAME()
)

 Overwriting the fillter direction using CROSSFILTER didnt work as well.

 

Your alternative, if you want  to maintain "a" semantic model, is to disable RLS and apply the filter directly using measures.

Sales - pseudo-bypassed = 
VAR _bypass = SELECTEDVALUE ( Bypass[Bypass], "no" ) -- default to no
VAR _currentUser = [current user]
RETURN
    IF (
        _bypass = "yes",
        [Sales],
        CALCULATE ( [Sales], KEEPFILTERS ( Employee[Email] = _currentUser ) )
    )

danextian_0-1757485942689.gif

Ensure to hide the filter pane.

 

Please see the attached pbix. 





Dane Belarmino | Microsoft MVP | Proud to be a Super User!

Did I answer your question? Mark my post as a solution!


"Tell me and I’ll forget; show me and I may remember; involve me and I’ll understand."
Need Power BI consultation, get in touch with me on LinkedIn or hire me on UpWork.
Learn with me on YouTube @DAXJutsu or follow my page on Facebook @DAXJutsuPBI.
bypass RLS.pbix
Message 5 of 9
495 Views
0
raji_n
Resolver II
Resolver II

‎09-09-2025 06:43 AM

Can you create a workspace with the specific report which should have all access and publish it with contributor privilege? But share the report via app?

Let me know if this helps 

Regards,

Rajashri N

Message 2 of 9
595 Views
0
danextian
Super User
Super User
In response to raji_n

‎09-09-2025 09:51 PM

If the report is connected to the same semantic model, the users won't still be able to bypass RLS even if they're given a higher role in the workspace a copy of the report is published in.





Dane Belarmino | Microsoft MVP | Proud to be a Super User!

Did I answer your question? Mark my post as a solution!


"Tell me and I’ll forget; show me and I may remember; involve me and I’ll understand."
Need Power BI consultation, get in touch with me on LinkedIn or hire me on UpWork.
Learn with me on YouTube @DAXJutsu or follow my page on Facebook @DAXJutsuPBI.
Message 3 of 9
502 Views
0
raji_n
Resolver II
Resolver II
In response to danextian

‎09-10-2025 08:21 AM

I stand corrected, thanks 🙂

Message 4 of 9
456 Views
0

Helpful resources

Announcements
December 2025 Power BI Update Carousel

Power BI Monthly Update - December 2025

Check out the December 2025 Power BI Holiday Recap!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All