Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

We've captured the moments from FabCon & SQLCon that everyone is talking about, and we are bringing them to the community, live and on-demand. Starts on April 14th. Register now

Reply
Alatha
Frequent Visitor

RLS on 2 personas with single report

‎02-07-2026 12:39 AM

I have one report and it has two personas site owners ans service owners. 
And created 2 roless

site owners - rls applied 

Service owners - no filters 

as I have single report and it has home page with 2 buttons visit site owner view & visit service owners view and based on the  page navigations 

now scenario 1. - when site owners access the report should see site owners button and should able to see the sites they own.

scenario -2 - when service owner access the report should see both buttons and when clicks on service owners should see all sites and clicks on site owners should see only owned sites.

working as expected -Site owners access able to see only single button and also see the sites they own 

problem - when service owner access the report and able to see both buttons and clicks on service owners button able to see all sites BUT when clicks on site owners button also seeing all sites instead of sites they own.

please assist me to achieve this as expected

 

Labels:
Message 1 of 4
289 Views
1 ACCEPTED SOLUTION
Jaywant-Thorat
Super User
Super User

‎02-07-2026 12:03 PM
Hi @Alatha ,
You’re very close already, the issue you’re facing is a classic RLS + navigation + role-evaluation limitation in Power BI, not a mistake in your logic. Let me explain why it happens and then give you correct architectures to achieve your expected behavior.
 
Root Cause (Very Important):
RLS is evaluated only once per user session, not per page or button click.
So in your case:
  • Service Owner is mapped to a role without filters
  • Once the report loads, Power BI decides:
    • “This user has unrestricted access”
  • Page navigation cannot re-apply RLS
  • Therefore:
    • Service Owner >> Site Owner page >> still sees ALL sites
This is by design in Power BI. Buttons, bookmarks, and navigation cannot change RLS context.
 
What You Want:
Persona Page Expected Data
Site Owner Any page Only owned sites
Service Owner Service Owner page All sites
Service Owner Site Owner page Only owned sites
This means conditional data restriction inside the same role. RLS alone cannot do this.
 
Solution 1: Use Dynamic RLS + USERPRINCIPALNAME(), instead of “No filter” role for Service Owners.
Step 1: Create a Security Mapping Table named 'UserAccess'
UserEmail SiteID AccessType
a@org.com S1 Site
a@org.com S2 Site
a@org.com ALL Service
b@org.com S3 Site
 
Step 2: Single RLS Role:
Apply this filter on UserAccess table:
---DAX---
UserAccess[UserEmail] = USERPRINCIPALNAME()
---DAX---
Now both personas are handled dynamically.
 
Step 3: Control Data by Page (KEY PART)
Create a Page Type table (Disconnected):
PageType
Site
Service
 
Step 4: Measure to Control Visibility
---DAX---
CanSeeSite =
VAR IsServiceOwner =
    CALCULATE(
        COUNTROWS(UserAccess),
        UserAccess[AccessType] = "Service"
    ) > 0
 
VAR PageTypeSelected =
    SELECTEDVALUE(PageType[PageType])
 
RETURN
SWITCH(
    TRUE(),
    PageTypeSelected = "Service", 1,
    PageTypeSelected = "Site" && IsServiceOwner, 1,
    PageTypeSelected = "Site" && NOT IsServiceOwner, 1,
    0
)
---DAX---
 
Step 5: Filter Your Visuals
Apply Visual-level filter:
CanSeeSite = 1
 
Result:
Service Owner >> Service page >> All sites
Service Owner >> Site page >> Only owned sites
Site Owner >> Only Site page >> Only owned sites
 
=================================================================
Did I answer your question? Mark my post as a solution! This will help others on the forum!
Appreciate your Kudos!!
Jaywant Thorat | MCT | Data Analytics Coach
#MissionPowerBIBharat
LIVE with Jaywant Thorat

View solution in original post

Message 2 of 4
241 Views
3 REPLIES 3
v-veshwara-msft
Community Support
Community Support

‎02-15-2026 10:44 PM

Hi @Alatha ,

We wanted to kindly follow up regarding your query. If you need any further assistance, please reach out.
Thank you.

Message 4 of 4
134 Views
0
v-veshwara-msft
Community Support
Community Support

‎02-12-2026 03:48 AM

Hi @Alatha ,
Thanks for reaching out to Microsoft Fabric Community.


Just checking whether the guidance shared by @Jaywant-Thorat  helped clarify the RLS behavior and whether you were able to test the dynamic RLS approach suggested.

 

Please let us know if you need any further assistance.

Thank you.

Message 3 of 4
153 Views
0
Jaywant-Thorat
Super User
Super User

‎02-07-2026 12:03 PM
Hi @Alatha ,
You’re very close already, the issue you’re facing is a classic RLS + navigation + role-evaluation limitation in Power BI, not a mistake in your logic. Let me explain why it happens and then give you correct architectures to achieve your expected behavior.
 
Root Cause (Very Important):
RLS is evaluated only once per user session, not per page or button click.
So in your case:
  • Service Owner is mapped to a role without filters
  • Once the report loads, Power BI decides:
    • “This user has unrestricted access”
  • Page navigation cannot re-apply RLS
  • Therefore:
    • Service Owner >> Site Owner page >> still sees ALL sites
This is by design in Power BI. Buttons, bookmarks, and navigation cannot change RLS context.
 
What You Want:
Persona Page Expected Data
Site Owner Any page Only owned sites
Service Owner Service Owner page All sites
Service Owner Site Owner page Only owned sites
This means conditional data restriction inside the same role. RLS alone cannot do this.
 
Solution 1: Use Dynamic RLS + USERPRINCIPALNAME(), instead of “No filter” role for Service Owners.
Step 1: Create a Security Mapping Table named 'UserAccess'
UserEmail SiteID AccessType
a@org.com S1 Site
a@org.com S2 Site
a@org.com ALL Service
b@org.com S3 Site
 
Step 2: Single RLS Role:
Apply this filter on UserAccess table:
---DAX---
UserAccess[UserEmail] = USERPRINCIPALNAME()
---DAX---
Now both personas are handled dynamically.
 
Step 3: Control Data by Page (KEY PART)
Create a Page Type table (Disconnected):
PageType
Site
Service
 
Step 4: Measure to Control Visibility
---DAX---
CanSeeSite =
VAR IsServiceOwner =
    CALCULATE(
        COUNTROWS(UserAccess),
        UserAccess[AccessType] = "Service"
    ) > 0
 
VAR PageTypeSelected =
    SELECTEDVALUE(PageType[PageType])
 
RETURN
SWITCH(
    TRUE(),
    PageTypeSelected = "Service", 1,
    PageTypeSelected = "Site" && IsServiceOwner, 1,
    PageTypeSelected = "Site" && NOT IsServiceOwner, 1,
    0
)
---DAX---
 
Step 5: Filter Your Visuals
Apply Visual-level filter:
CanSeeSite = 1
 
Result:
Service Owner >> Service page >> All sites
Service Owner >> Site page >> Only owned sites
Site Owner >> Only Site page >> Only owned sites
 
=================================================================
Did I answer your question? Mark my post as a solution! This will help others on the forum!
Appreciate your Kudos!!
Jaywant Thorat | MCT | Data Analytics Coach
#MissionPowerBIBharat
LIVE with Jaywant Thorat
Message 2 of 4
242 Views

Helpful resources

Announcements
New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

Power BI DataViz World Championships carousel

Power BI DataViz World Championships - June 2026

A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.

Join our Fabric User Panel

Join our Fabric User Panel

Share feedback directly with Fabric product managers, participate in targeted research studies and influence the Fabric roadmap.

March Power BI Update Carousel

Power BI Community Update - March 2026

Check out the March 2026 Power BI update to learn about new features.

View All