Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Level up your Power BI skills this month - build one visual each week and tell better stories with data! Get started

Reply
lherbert501
Post Prodigy
Post Prodigy

RLS Override

‎04-17-2026 08:57 AM

Hi,

 

I have been using the PATHCONTAINS and USERPRINCIPAL model for user and manager hierarchy which works great for RLS, similar to the link below but the user and manager id's set up against each other

 

power bi rls hierarchy - Google Search

 

My question is, is there a way to overide this function in place that's working perfectly? I have some scenarios where I will need to enable a user to see all upon request, and didn't know if there was something I could do or put in place.

 

Thanks

 

 

Labels:
Message 1 of 5
433 Views
2 ACCEPTED SOLUTIONS
Zanqueta
Super User
Super User

‎04-17-2026 09:43 AM

Hi,  you are already using the correct and recommended pattern for hierarchical Row-Level Security (RLS) in Power BI with PATHCONTAINS() and USERPRINCIPALNAME(). There is no need to replace or disable this logic in order to allow specific users to see all data.
What can work in this case is to add an override condition to the existing RLS rule, while keeping the current hierarchy behaviour unchanged for all other users. You can extend the existing rule by adding a condition that returns full access for specific users.
This approach is suitable when:

Only a small number of users require full access
The requirement is occasional or temporary

However, this solution does not scale well and requires manual updates to the DAX.

 

My suggestion is to create a small security table containing users who should bypass RLS (for example, executives).
The RLS logic then checks whether the current user exists in this table. If so, all rows are visible; otherwise, the hierarchy-based rule applies

 

VAR IsSuperUser =
    USERPRINCIPALNAME()
        IN VALUES ( RLS_Override[Email] )

 

RETURN
IF (
    IsSuperUser,
    TRUE(),
    PATHCONTAINS ( 'Employee'[Path], USERPRINCIPALNAME() )
)

 

Also, you can check this solved topic : Solved: Re: Override RLS - Microsoft Fabric Community

 

 

 

If this response was helpful in any way, I’d gladly accept a kudo.
Please mark it as the correct solution. It helps other community members find their way faster.
Connect with me on LinkedIn

View solution in original post

Message 2 of 5
415 Views
Ritaf1983
Super User
Super User

‎04-18-2026 01:30 AM

Hi @lherbert501 

Yes, the overall approach is valid.

If you want certain users to occasionally see all data, the usual solution is not to bypass RLS from the report, but to extend the existing RLS design so it supports approved exceptions.

A small override table can work well for that. The idea is:
if the current user appears in the override table, return full access;
otherwise apply the normal hierarchy-based rule.

The main thing to watch is that the value checked in PATHCONTAINS must match the value stored in the path. For example, if your path is built from employee IDs or manager IDs, then checking USERPRINCIPALNAME() directly in PATHCONTAINS will not be enough on its own. In that case, you would need a proper mapping between the user login and the employee key used in the hierarchy.

Also, returning TRUE() in the RLS rule does not “disable RLS everywhere” by itself. It simply means that this table is not being filtered for that user, so it only works as expected if the model relationships propagate the filter correctly.

So yes, the override-table pattern is a reasonable option, but the exact DAX depends on how your hierarchy path is built and how the user identity is mapped in the model.

If the number of exception users is small and changes rarely, this can be a practical solution. If access changes often, managing it through a security table or group-based process is usually more maintainable.
If this post helps, then please consider Accepting it as the solution to help the other members find it more quickly

Regards,
Rita Fainshtein | Microsoft MVP
https://www.linkedin.com/in/rita-fainshtein/
Blog : https://www.madeiradata.com/profile/ritaf/profile

View solution in original post

Message 3 of 5
350 Views
4 REPLIES 4
v-hashadapu
Community Support
Community Support

‎04-21-2026 04:56 AM

Hi @lherbert501 , Thank you for reaching out to the Microsoft Community Forum.

 

We find the answers shared by @Ritaf1983  & @Zanqueta are correct. Can you please confirm if the solution worked for you. It will help others with similar issues find the answer easily.

 

Thank you @Ritaf1983 & @Zanqueta  for your valuable responses.

Message 4 of 5
174 Views
0
lherbert501
Post Prodigy
Post Prodigy
In response to v-hashadapu

‎04-22-2026 03:16 AM

Hi @v-hashadapu 

 

Yes thankyou @Ritaf1983 and @Zanqueta both for your responses.

 

Both very helpful

 

Thanks

Message 5 of 5
152 Views
Ritaf1983
Super User
Super User

‎04-18-2026 01:30 AM

Hi @lherbert501 

Yes, the overall approach is valid.

If you want certain users to occasionally see all data, the usual solution is not to bypass RLS from the report, but to extend the existing RLS design so it supports approved exceptions.

A small override table can work well for that. The idea is:
if the current user appears in the override table, return full access;
otherwise apply the normal hierarchy-based rule.

The main thing to watch is that the value checked in PATHCONTAINS must match the value stored in the path. For example, if your path is built from employee IDs or manager IDs, then checking USERPRINCIPALNAME() directly in PATHCONTAINS will not be enough on its own. In that case, you would need a proper mapping between the user login and the employee key used in the hierarchy.

Also, returning TRUE() in the RLS rule does not “disable RLS everywhere” by itself. It simply means that this table is not being filtered for that user, so it only works as expected if the model relationships propagate the filter correctly.

So yes, the override-table pattern is a reasonable option, but the exact DAX depends on how your hierarchy path is built and how the user identity is mapped in the model.

If the number of exception users is small and changes rarely, this can be a practical solution. If access changes often, managing it through a security table or group-based process is usually more maintainable.
If this post helps, then please consider Accepting it as the solution to help the other members find it more quickly

Regards,
Rita Fainshtein | Microsoft MVP
https://www.linkedin.com/in/rita-fainshtein/
Blog : https://www.madeiradata.com/profile/ritaf/profile
Message 3 of 5
351 Views
Zanqueta
Super User
Super User

‎04-17-2026 09:43 AM

Hi,  you are already using the correct and recommended pattern for hierarchical Row-Level Security (RLS) in Power BI with PATHCONTAINS() and USERPRINCIPALNAME(). There is no need to replace or disable this logic in order to allow specific users to see all data.
What can work in this case is to add an override condition to the existing RLS rule, while keeping the current hierarchy behaviour unchanged for all other users. You can extend the existing rule by adding a condition that returns full access for specific users.
This approach is suitable when:

Only a small number of users require full access
The requirement is occasional or temporary

However, this solution does not scale well and requires manual updates to the DAX.

 

My suggestion is to create a small security table containing users who should bypass RLS (for example, executives).
The RLS logic then checks whether the current user exists in this table. If so, all rows are visible; otherwise, the hierarchy-based rule applies

 

VAR IsSuperUser =
    USERPRINCIPALNAME()
        IN VALUES ( RLS_Override[Email] )

 

RETURN
IF (
    IsSuperUser,
    TRUE(),
    PATHCONTAINS ( 'Employee'[Path], USERPRINCIPALNAME() )
)

 

Also, you can check this solved topic : Solved: Re: Override RLS - Microsoft Fabric Community

 

 

 

If this response was helpful in any way, I’d gladly accept a kudo.
Please mark it as the correct solution. It helps other community members find their way faster.
Connect with me on LinkedIn

Message 2 of 5
416 Views

Helpful resources

Announcements
April Power BI Update Carousel

Power BI Monthly Update - April 2026

Check out the April 2026 Power BI update to learn about new features.

Fabric SQL PBI Data Days

Data Days 2026 coming soon!

Sign up to receive a private message when registration opens and key events begin.

New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

Power BI DataViz World Championships carousel

Power BI DataViz World Championships - June 2026

A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.

View All