Hi @prajwala ,

To implement RLS with data masking in Power BI, ensuring that users who are not part of a specific AD group (like Management Cost AD group) see masked or hidden cost-related information, you can achieve this by creating dynamic RLS roles using Tabular Editor and DAX expressions. Here's how you can implement it step by step:

1. Create RLS Role Using Tabular Editor
   
   1. Open your Power BI model in Tabular Editor.
   2. Go to the Roles section in the left-hand pane.
   3. Create or modify a role, such as Mask_Cost_Data.
   4. Add the DAX filter condition to check if a user is part of the Management Cost AD group.
2. Use USERNAME() or USERPRINCIPALNAME()
   The key here is leveraging USERNAME() or USERPRINCIPALNAME() to dynamically evaluate the current user's membership.
   

   Dynamic Masking Logic:
   If the user is not part of the Management Cost AD group, show masked data (e.g., zero, null, or "Restricted"). Otherwise, show the actual cost data.
   
   Example DAX Expression for Cost Columns:
   You can write this as a calculated column or modify a measure in Tabular Editor:

   MaskedCost = 
   IF (
   ISFILTERED ( 'UserADGroup'[GroupName] ) && 
   CONTAINS ( 'UserADGroup', 'UserADGroup'[GroupName], "Management Cost AD" ),
   [Cost],
   "Restricted"
   )

   Example DAX Expression for Cost Columns:
   Steps:

   1. Assume you have a table or data source with user groups linked to users. This can be imported or queried dynamically.

      • Table: 'UserADGroup' with columns:

        • [UserEmail] or [UserName] (matches USERPRINCIPALNAME()).

        • [GroupName] (contains the group names such as "Management Cost AD").

   2. Join this table to your main fact table where costs are stored.
      
      

3. Mask Data for Unauthorized Users
   Now, use the above logic within a measure instead of a column for flexibility. Modify your cost measure:

   Masked_Cost_Measure =
   VAR UserInGroup = 
   LOOKUPVALUE ( 'UserADGroup'[GroupName], 'UserADGroup'[UserEmail], USERPRINCIPALNAME() )
   RETURN
   IF ( UserInGroup = "Management Cost AD", SUM ( 'FactTable'[Cost] ), BLANK () )

   Explanation:

   • LOOKUPVALUE checks if the current user's email belongs to the Management Cost AD group.

   • If the user is part of the group, the measure shows the actual cost.

   • If not, it returns BLANK() or any masked value (e.g., "Restricted" or 0).

4. Define RLS Role for User Groups
   
   1. In Tabular Editor:
      
      • Create an RLS filter on your 'UserADGroup' table:

        'UserADGroup'[UserEmail] = USERPRINCIPALNAME()

        This ensures that users only see their respective group data.
   2. Apply this role to the model.
5. Test RLS in Power BI
   
   1. After saving changes in Tabular Editor, load the model into Power BI.
   2. Use the "View as Roles" feature to simulate different users or groups:
      
      • Test with a user who belongs to "Management Cost AD" group.
      • Test with a user who does not belong to the group.
   3. Verify that unauthorized users see masked or restricted data while authorized users see actual costs.

I hope the provided solution works for you

If I have resolved your question, please consider marking my post as a solution. Thank you!
A kudos is always appreciated—it helps acknowledge the effort and keeps the community thriving.