Business Requirement
We need to implement dynamic row-level security in Power BI where the logged-in user can switch between different allowed roles using a slicer on the report page:
SuperUser → should see all data
CompanyHR → should see only companies assigned to them
Self (default) → see only their own record
A user may hold multiple roles (e.g., SuperUser + CompanyHR), and the slicer should determine which role is active for the current view.
The actual underlying row-level access permissions come from a RoleMapping table stored in the data model.
This design was chosen because different roles need different views within the same report, and we cannot publish multiple copies of the report.
Data Model Architecture
We are using a star-schema model:
├── UserLoaInfo (Fact)
├── UserPersonalInfo (Fact)
└── TimeKey (Fact)
RoleMapping is a separate security table containing:
Email
Role (SuperUser, CompanyHR)
Company_Code
Employee_ID
There is no “Self” role stored; “Self” is simply the logged-in user's own row.
Relationships:
IhubData → Fact tables (1-to-many)
No relationship between RoleMapping and fact tables
RLS Requirement
We defined RLS on IhubData using logic:
If role = SuperUser → full access
If role = CompanyHR → IhubData rows where Company Code ∈ allowed companies
If role = Self → IhubData row where WorkEmail = USERPRINCIPALNAME()
Role selection is expected to come from a disconnected RoleSelector slicer, so users can switch roles at runtime.
What We Have Concluded So Far
After extensive debugging, it appears that:
Slicer selections are not available to the RLS engine
Slicers operate in visual filter context,
while RLS is evaluated earlier at model security context,before any slicer filters exist.
Therefore:
RLS logic cannot switch based on slicer choices
User cannot dynamically change their RLS role via slicer
This prevents implementing a dynamic role-switcher using slicers, even though all underlying RoleMapping logic is valid.
What We Need Clarification From Microsoft
1. Is it expected behavior that slicer selections do NOT reach RLS evaluation context?
2. Is there any supported method to allow a user to switch between multiple allowed RLS roles at runtime?
(e.g., SuperUser vs. CompanyHR)
3. If this is a product limitation, what workaround does Microsoft recommend for providing role-switching capabilities inside a single report?
We want to confirm whether:
This is expected behavior
A limitation
A bug
Or if there is a supported pattern to achieve our requirement
Related Info:
Slicer Table (Disconnnected)
RoleMapping Table
Final RLS Code (Applied on IhubData)
VAR LoggedUser =
TRIM( UPPER( USERPRINCIPALNAME() ) )
VAR SelectedRole =
SELECTEDVALUE( RoleSelector[SlicerRole], "CompanyHR" )
VAR AllowedCompanies =
SELECTCOLUMNS(
CALCULATETABLE(
VALUES( RoleMapping[Company_Code] ),
TRIM( UPPER( RoleMapping[Email] ) ) = LoggedUser &&
RoleMapping[Role] = "CompanyHR"
),
"C", TRIM( UPPER( [Company_Code] ) )
)
VAR RowCompany =
TRIM( UPPER( FORMAT( IhubData[Company Code], "" ) ) )
VAR RowEmail =
TRIM( UPPER( IhubData[Work EmailAddress] ) )
RETURN
SWITCH(
TRUE(),
SelectedRole = "SuperUser", TRUE(),
SelectedRole = "CompanyHR", RowCompany IN AllowedCompanies,
RowEmail = LoggedUser
)
Expected Behavior
When “SuperUser” is selected → all rows visible (If the user is SuperUser in RoleMapping Table)
When “CompanyHR” is selected → rows filtered by RoleMapping (If the user is CompanyHR in RoleMapping Table)
When nothing selected → default to CompanyHR
Summary
We want users to be able to:
Have multiple roles assigned (e.g., SuperUser + CompanyHR)
Switch between those roles using a slicer
Apply RLS based on the active slicer role
But slicer-based role switching does not work because RLS does not detect the slicer selection.
*** We need Microsoft’s guidance on whether this approach is supported or not, and if not, the recommended method to implement multi-role switching in a single Power BI report.
One workaround I can suggest—if you are okay with maintaining multiple semantic models and reports—is to create three different reports and datasets, with one RLS rule applied per dataset:
-
Super User
-
Company HR
-
Self
Publish them to a workspace and add users to the appropriate security roles. Include all three datasets and reports in a workspace app. Using the workspace audience feature, you can restrict access to each report for specific audience groups.
-
Super Users should be added to all three reports.
-
Company HR users should be added to the Company HR and Self reports.
-
All remaining users should be added only to the Self report.
This way, Super Users can switch between roles by switching between reports using the app’s navigation panel. Other users can follow the same pattern based on the access assigned to their role.
Connect on LinkedIn
|
Hi @PrasadIngare ,
The RLS allows you to filter out information at row level, meaning that the information presented at the report is only concerning the rows you have, so in this case when you refer that RLS does not impact slicers, this is not entirely true because the slicer will show the values that are available in RLS.
In this case if you have a user that can see all of the rows, but then you want to change the RLS to show only specific lines, the RLS will be applied depending on the DAX that you implement, in your case you are using a SWITCH that first of all has the SUPERUSER so all rows so the slicer will present all rows.
I believe that what you need here is a mix between your RLS to get the correct filter based on the RoleMapping table and some Calculations groups that will allow you to have a change of context of your calculations based on the role select.
Basically you would filter your Calculation group based on the RLS that the user would have and then on the slicer selection on the Calculation group you could show only all the values, only specifc companies or only specifc user.
Your information is preety detail to get a working demo on my side can you please share a mockup data or sample of your PBIX file. You can use a onedrive, google drive, we transfer or similar link to upload your files.
If the information is sensitive please share it trough private message.
Regards
Miguel Félix
Did I answer your question? Mark my post as a solution!
Proud to be a Super User!
Check out my blog: Power BI em PortuguêsHi @PrasadIngare ,
I have made a mockup with a simple fact table and setup the following way:
- RLS on RoleMapping Table to ge the information about company and users role
- Create a Calculation group of each of the roles:
SuperUser = SELECTEDMEASURE()
CompanyHR = CALCULATE( SELECTEDMEASURE(), Companies[Company] in VALUES(RoleMapping[Company_Code]))
Self = CALCULATE( SELECTEDMEASURE(), 'Fact'[EmployeeID] in VALUES(RoleMapping[Employee_lD]))This may need some adjustment based on your dimensions and also your measures.
The I added the following measure to filter the role:
Role Filter =
IF("Self" in VALUES('Calculation group'[Calculation group column]), 1 ,
COUNTROWS(FILTER('Calculation group', 'Calculation group'[Calculation group column] in VALUES(RoleMapping[Role]))))Be aware you also need to add in the Role mapping table the users that are with USER access only but on that part you do not need to add the companies this is just for the filter to work properly.
Also setup the Role Slicer has a single selection and on Self has default value.
Regards
Miguel Félix
Did I answer your question? Mark my post as a solution!
Proud to be a Super User!
Check out my blog: Power BI em Português
Helpful resources
Power BI Monthly Update - November 2025
Check out the November 2025 Power BI update to learn about new features.
Fabric Data Days
Advance your Data & AI career with 50 days of live learning, contests, hands-on challenges, study groups & certifications and more!
FabCon Atlanta 2026
Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.
