Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

View all the Fabric Data Days sessions on demand. View schedule

Reply
PrasadIngare
Regular Visitor

Dynamic RLS + Slicer Role Switching Issue

Friday

Business Requirement

We need to implement dynamic row-level security in Power BI where the logged-in user can switch between different allowed roles using a slicer on the report page:

  • SuperUser → should see all data

  • CompanyHR → should see only companies assigned to them

  • Self (default) → see only their own record

A user may hold multiple roles (e.g., SuperUser + CompanyHR), and the slicer should determine which role is active for the current view.

The actual underlying row-level access permissions come from a RoleMapping table stored in the data model.

This design was chosen because different roles need different views within the same report, and we cannot publish multiple copies of the report.

 

Data Model Architecture

We are using a star-schema model:

 

IhubData (Employee dimension table)
├── UserLoaInfo (Fact)
├── UserPersonalInfo (Fact)
└── TimeKey (Fact)

RoleMapping is a separate security table containing:

  • Email

  • Role (SuperUser, CompanyHR)

  • Company_Code

  • Employee_ID

There is no “Self” role stored; “Self” is simply the logged-in user's own row.

Relationships:

  • IhubData → Fact tables (1-to-many)

  • No relationship between RoleMapping and fact tables

RLS Requirement

We defined RLS on IhubData using logic:

  • If role = SuperUser → full access

  • If role = CompanyHR → IhubData rows where Company Code ∈ allowed companies

  • If role = Self → IhubData row where WorkEmail = USERPRINCIPALNAME()

Role selection is expected to come from a disconnected RoleSelector slicer, so users can switch roles at runtime.

What We Have Concluded So Far

After extensive debugging, it appears that:
Slicer selections are not available to the RLS engine

Slicers operate in visual filter context,
while RLS is evaluated earlier at model security context,before any slicer filters exist.


Therefore:

  • RLS logic cannot switch based on slicer choices

  • User cannot dynamically change their RLS role via slicer

This prevents implementing a dynamic role-switcher using slicers, even though all underlying RoleMapping logic is valid.

What We Need Clarification From Microsoft

1. Is it expected behavior that slicer selections do NOT reach RLS evaluation context?

2. Is there any supported method to allow a user to switch between multiple allowed RLS roles at runtime?

(e.g., SuperUser vs. CompanyHR)

3. If this is a product limitation, what workaround does Microsoft recommend for providing role-switching capabilities inside a single report?

We want to confirm whether:

  • This is expected behavior

  • A limitation

  • A bug

  • Or if there is a supported pattern to achieve our requirement

 

 

Related Info:

Slicer Table (Disconnnected)

PrasadIngare_2-1765001862732.png


RoleMapping Table

PrasadIngare_3-1765001906476.png


Final RLS Code (Applied on IhubData)

VAR LoggedUser =
    TRIM( UPPER( USERPRINCIPALNAME() ) )

VAR SelectedRole =
    SELECTEDVALUE( RoleSelector[SlicerRole], "CompanyHR" )

VAR AllowedCompanies =
    SELECTCOLUMNS(
        CALCULATETABLE(
            VALUES( RoleMapping[Company_Code] ),
            TRIM( UPPER( RoleMapping[Email] ) ) = LoggedUser &&
            RoleMapping[Role] = "CompanyHR"
        ),
        "C", TRIM( UPPER( [Company_Code] ) )
    )

VAR RowCompany =
    TRIM( UPPER( FORMAT( IhubData[Company Code], "" ) ) )

VAR RowEmail =
    TRIM( UPPER( IhubData[Work EmailAddress] ) )

RETURN
SWITCH(
    TRUE(),
    SelectedRole = "SuperUser", TRUE(),
    SelectedRole = "CompanyHR", RowCompany IN AllowedCompanies,
    RowEmail = LoggedUser
)

 

Expected Behavior

  • When “SuperUser” is selected → all rows visible (If the user is SuperUser in RoleMapping Table)

  • When “CompanyHR” is selected → rows filtered by RoleMapping  (If the user is CompanyHR in RoleMapping Table)

  • When nothing selected → default to CompanyHR

Summary

We want users to be able to:

  1. Have multiple roles assigned (e.g., SuperUser + CompanyHR)

  2. Switch between those roles using a slicer

  3. Apply RLS based on the active slicer role

But slicer-based role switching does not work because RLS does not detect the slicer selection.


*** We need Microsoft’s guidance on whether this approach is supported or not, and if not, the recommended method to implement multi-role switching in a single Power BI report.

Labels:
Message 1 of 3
207 Views
0
2 REPLIES 2
tharunkumarRTK
Super User
Super User

Saturday

@PrasadIngare 

One workaround I can suggest—if you are okay with maintaining multiple semantic models and reports—is to create three different reports and datasets, with one RLS rule applied per dataset:

  1. Super User

  2. Company HR

  3. Self

Publish them to a workspace and add users to the appropriate security roles. Include all three datasets and reports in a workspace app. Using the workspace audience feature, you can restrict access to each report for specific audience groups.

  • Super Users should be added to all three reports.

  • Company HR users should be added to the Company HR and Self reports.

  • All remaining users should be added only to the Self report.

This way, Super Users can switch between roles by switching between reports using the app’s navigation panel. Other users can follow the same pattern based on the access assigned to their role.

 

 

 

 

Connect on LinkedIn

 

 

 








Did I answer your question? Mark my post as a solution!
If I helped you, click on the Thumbs Up to give Kudos.

Proud to be a Super User!
PBI_SuperUser_Rank@2x.png

 

Message 3 of 3
101 Views
0
MFelix
Super User
Super User

Saturday

Hi @PrasadIngare ,

 

The RLS allows you to filter out information at row level, meaning that the information presented at the report is only concerning the rows you have, so in this case when you refer that RLS does not impact slicers, this is not entirely true because the slicer will show the values that are available in RLS.

 

In this case if you have a user that can see all of the rows, but then you want to change the RLS to show only specific lines, the RLS will be applied depending on the DAX that you implement, in your case you are using a SWITCH that first of all has the SUPERUSER so all rows so the slicer will present all rows.

 

I believe that what you need here is a mix between your RLS to get the correct filter based on  the RoleMapping table and some Calculations groups that will allow you to have a change of context of your calculations based on the role select.

 

Basically you would filter your Calculation group based on the RLS that the user would have and then on the slicer selection on the Calculation group you could show only all the values, only specifc companies or only specifc user.

 

Your information is preety detail to get a working demo on my side can you please share a mockup data or sample of your PBIX file. You can use a onedrive, google drive, we transfer or similar link to upload your files.

If the information is sensitive please share it trough private message.


Regards

Miguel Félix


Did I answer your question? Mark my post as a solution!

Proud to be a Super User!

Check out my blog: Power BI em Português



Message 2 of 3
144 Views
0

Helpful resources

Announcements
November Power BI Update Carousel

Power BI Monthly Update - November 2025

Check out the November 2025 Power BI update to learn about new features.

Fabric Data Days Carousel

Fabric Data Days

Advance your Data & AI career with 50 days of live learning, contests, hands-on challenges, study groups & certifications and more!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All