Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now! Learn more

Reply
BarnyQuack
Frequent Visitor

Row Level Security: Exclude users from seeing data who are not in a particular AD security group.

‎09-23-2025 03:24 AM

Hi,

I want to prevent users not in an Active Directory group (called 'Payroll Users')  from seeing data  when Department = "Payroll"

There will be a small number of users who will be able to see all data, but the vast majority will not be able to see it.

DepartmentInvoice
Payroll123
Payroll456
London111
Edinburgh222
Glasgow444
Payroll789

 

I've made a start, but need a bit more help please!

So far I have:

For security roles I have a role 'Payroll Hidden'  where [Department] <> "Payroll"  : this is for users not in the AD group.

there is another role called ALL that can see all data, i.e. no data is filtered, and that is for users in the AD group.

 

BarnyQuack_1-1758621962125.png

 

Many thanks for looking

Labels:
Message 1 of 8
418 Views
0
2 ACCEPTED SOLUTIONS
amitchandak
Super User
Super User

‎09-23-2025 03:38 AM

@BarnyQuack , Seem like roles are correct. Ensure that you assign security groups to these roles in Power BI Service. Under Sematic model Security option 

Share with Power BI Enthusiasts: Full Power BI Video (20 Hours) YouTube
Microsoft Fabric Series 60+ Videos YouTube
Microsoft Fabric Hindi End to End YouTube

View solution in original post

Message 2 of 8
403 Views
0
v-dineshya
Community Support
Community Support

‎09-23-2025 05:10 AM

Hi @BarnyQuack ,

Thank you for reaching out to the Microsoft Community Forum.

 

You are expecting that, Users in 'Payroll Users' AD group can See all data, including Payroll. And Users NOT in 'Payroll Users' AD group can see everything except Payroll.

 

Please create Roles.

 

1. Role--> ALL

DAX Filter --> No filter or [Department] = [Department] to allow all data.
Assigned to --> Members of the 'Payroll Users' AD group.

 

2. Role --> Payroll Hidden

DAX Filter --> [Department] <> "Payroll"
Assigned to --> All other users.


Please follow below steps.

 

1. Create Roles in Power BI Desktop, Go to Modeling --> Manage Roles. Create ALL --> No filter and Payroll Hidden --> Add filter as [Department] <> "Payroll". Then Publish to Power BI Service.

 

2. Assign Roles in Power BI Service, Go to Dataset --> Security. Assign ALL --> Add 'Payroll Users' AD group. And Payroll Hidden --> Add other users or groups.

 

Note: Use "View As Roles" in Power BI Desktop to simulate each role and confirm the filtering works as expected.

 

I hope this information helps. Please do let us know if you have any further queries.

 

Regards,

Dinesh

View solution in original post

Message 5 of 8
360 Views
0
7 REPLIES 7
v-dineshya
Community Support
Community Support

‎09-23-2025 05:10 AM

Hi @BarnyQuack ,

Thank you for reaching out to the Microsoft Community Forum.

 

You are expecting that, Users in 'Payroll Users' AD group can See all data, including Payroll. And Users NOT in 'Payroll Users' AD group can see everything except Payroll.

 

Please create Roles.

 

1. Role--> ALL

DAX Filter --> No filter or [Department] = [Department] to allow all data.
Assigned to --> Members of the 'Payroll Users' AD group.

 

2. Role --> Payroll Hidden

DAX Filter --> [Department] <> "Payroll"
Assigned to --> All other users.


Please follow below steps.

 

1. Create Roles in Power BI Desktop, Go to Modeling --> Manage Roles. Create ALL --> No filter and Payroll Hidden --> Add filter as [Department] <> "Payroll". Then Publish to Power BI Service.

 

2. Assign Roles in Power BI Service, Go to Dataset --> Security. Assign ALL --> Add 'Payroll Users' AD group. And Payroll Hidden --> Add other users or groups.

 

Note: Use "View As Roles" in Power BI Desktop to simulate each role and confirm the filtering works as expected.

 

I hope this information helps. Please do let us know if you have any further queries.

 

Regards,

Dinesh

Message 5 of 8
361 Views
0
v-dineshya
Community Support
Community Support
In response to v-dineshya

‎09-28-2025 09:43 PM

Hi @BarnyQuack ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. And, if you have any further query do let us know.

 

Regards,

Dinesh

Message 6 of 8
301 Views
0
v-dineshya
Community Support
Community Support
In response to v-dineshya

‎10-03-2025 03:38 AM

Hi @BarnyQuack ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. And, if you have any further query do let us know.

 

Regards,

Dinesh

Message 7 of 8
251 Views
0
v-dineshya
Community Support
Community Support
In response to v-dineshya

‎10-06-2025 07:46 AM

Hi @BarnyQuack ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. And, if you have any further query do let us know.

 

Regards,

Dinesh

Message 8 of 8
217 Views
0
BarnyQuack
Frequent Visitor

‎09-23-2025 03:59 AM

Hi Amit, many thanks for your quick reply! 🙂 

I'm hoping just to have a few people in the ALL AD group, where they can see Payroll data. But I'm hoping not to have to add hundreds of people not in Payroll to either an AD group or adding individually to a role. I was hoping there may be a better solution.

Message 4 of 8
383 Views
0
pbiuseruk
Resolver IV
Resolver IV

‎09-23-2025 03:50 AM

Hello,

You're pretty much there.

Make the 2 roles as you've mentioned and then go to "View As" to test that it's working properly.

pbiuseruk_0-1758624511776.png


Once you've done that, you need to check that your modelling is done correctly, so that the enforcement goes to any linked tables aswell. Check the "bidirectional cross filtering" option, when you're using RLS.

Then just publish the report when you're happy and go into Power BI service, into the Security part of the settings for the report and then add the users to the security roles. Then just share access with them and everything should work as expected.

The official docs are here: https://learn.microsoft.com/en-us/fabric/security/service-admin-row-level-security.


Just assign the AD/Entra group to the security role in the service once you're done and it should all work as expected.


Message 3 of 8
394 Views
0
amitchandak
Super User
Super User

‎09-23-2025 03:38 AM

@BarnyQuack , Seem like roles are correct. Ensure that you assign security groups to these roles in Power BI Service. Under Sematic model Security option 

Share with Power BI Enthusiasts: Full Power BI Video (20 Hours) YouTube
Microsoft Fabric Series 60+ Videos YouTube
Microsoft Fabric Hindi End to End YouTube
Message 2 of 8
404 Views
0

Helpful resources

Announcements
November Power BI Update Carousel

Power BI Monthly Update - November 2025

Check out the November 2025 Power BI update to learn about new features.

Fabric Data Days Carousel

Fabric Data Days

Advance your Data & AI career with 50 days of live learning, contests, hands-on challenges, study groups & certifications and more!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All
Top Kudoed Authors
View All