Hi @KathyGG - RLS doesn’t automatically transfer between datasets, and direct joins in composite models don’t inherently carry RLS across.
When you connect to your primary dataset (Transformed Data) in the Timesheet Data model, make sure you’re using DirectQuery for Power BI datasets. This allows you to create a composite model with both datasets, and RLS will only apply to tables from the Transformed Data dataset. You won’t be able to modify RLS from within the Timesheet Data report, but you can still leverage it.
If direct RLS transfer isn’t possible, you could consider a workaround by creating report-level filters based on the users' access levels. Here’s how:
Add a calculated column or measure that checks the user’s identity (e.g., with USERPRINCIPALNAME()) and filters data according to the RLS rules defined in the Transformed Data model.
Then apply this calculated column/measure in the Timesheet Data model as a filter.
If the data volumes and architecture allow, consider consolidating both datasets into one model (Transformed Data) to apply RLS seamlessly across all tables. This way, you avoid complications with cross-model RLS and can apply roles directly on all relevant tables.
Role Setup in Power BI Service: Sometimes, RLS fails in the Service if the dataset permissions or workspace settings are not aligned. Verify the following in Power BI Service:
Ensure the users have Viewer role access to the workspace where the dataset is published. Any role higher than Viewer could bypass RLS.
Check that the permissions on both datasets don’t conflict (for example, having RLS on both models independently without a clear hierarchy can cause issues).
Reference link:
Use composite models in Power BI Desktop - Power BI | Microsoft Learn
Proud to be a Super User! |  |
Hi @KathyGG - To apply dynamic row-level security (RLS) across data sources where only certain fields align, you can use USERPRINCIPALNAME() to filter data by the logged-in user’s email.
UserEmail = USERPRINCIPALNAME()
In the Transformed Data table, define the RLS rule using your logic. To allow for both specific project access and full access, your formula should check the user’s access level, allowing visibility to all projects if they have “all” access.
[email_address] = USERPRINCIPALNAME()
|| MAXX(
FILTER('Users Register',
'Users Register'[access_level_c] = "Business_Unit"
&& [email_address] = USERPRINCIPALNAME()
),
[access_level_c]
) = "Business_Unit"
|| MAXX(
FILTER('Users Register',
'Users Register'[access_level_c] = "All"
&& [email_address] = USERPRINCIPALNAME()
),
[access_level_c]
) = "All"
This formula:
Filters data where [email_address] matches USERPRINCIPALNAME() (email match).
Checks if the user has access at a "Business_Unit" level or "All" access.
Since the Timesheet Data can’t be directly joined with Transformed Data due to different credentials, implement RLS separately:
In Timesheet Data: Create a filter that matches on the Project Name where possible, and only grants access to projects listed for the user in the Users Register table.
You could use a DAX formula similar to the Transformed Data rule, modified to only apply access based on projects.
This approach leverages dynamic RLS and your existing security groups, ensuring each user’s access is defined by their level and association with specific projects.
Proud to be a Super User! | |
Helpful resources
Power BI Monthly Update - November 2025
Check out the November 2025 Power BI update to learn about new features.
Fabric Data Days
Advance your Data & AI career with 50 days of live learning, contests, hands-on challenges, study groups & certifications and more!
FabCon Atlanta 2026
Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.
