Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Compete to become Power BI Data Viz World Champion! First round ends August 18th. Get started.

Reply
ananda31
Frequent Visitor

For Dynamic Row Level Security do I still need to add members on power BI service?

‎05-18-2025 09:09 PM

How can I fully implement Dynamic Row-Level Security (RLS) in Power BI without having to manually add users to the role in the Power BI Service under Semantic Model-> More options → Security → Add members?

 

Context:
I've implemented Dynamic RLS using a SQL database that contains user emails, and I'm using the USERPRINCIPALNAME() DAX function to filter data based on the logged-in user. This works as expected in Power BI Desktop using the "View as Role" feature.


However, in the Power BI Service, some users are unable to see the filtered data unless I manually add them to the RLS role. Since the filtering logic is already dynamic and based on the user's email, I was hoping to avoid this manual step.

Is there a recommended workaround or best practice to automate this process and ensure users are recognized by the RLS logic without needing to be explicitly added to the role? under Semantic Model -> More options → Security → Add members?

Message 1 of 9
927 Views
1 ACCEPTED SOLUTION
v-kpoloju-msft
Community Support
Community Support

‎05-19-2025 04:30 AM

Hi @ananda31,
Thank you for reaching out to the Microsoft fabric community forum. Also @Cookistador, for his inputs on this thread. I have identified few workarounds that may help resolve the issue.

 

Thank you for your detailed question and commendable work on implementing Dynamic Row-Level Security (RLS) using a SQL-based user mapping and USERPRINCIPALNAME(). Your filtering logic is correctly configured.

Regarding your inquiry:

Even with Dynamic RLS, users must still be explicitly assigned to the RLS role in the Power BI Service under:

Semantic Model → More options → Security → Add members

This step activates RLS for those users. Once added, the DAX logic (like USERPRINCIPALNAME()) dynamically filters the data based on your SQL mapping.

To streamline the process of adding users, you can:

  • Add an Azure Active Directory (AAD) security group to the RLS role.
  • Manage user membership via the AAD group, which offers better scalability.
  • (Optional) Utilize Microsoft Entra ID dynamic groups, if available in your organization, to automate group membership based on attributes like department or title.

If this post helps, please give us ‘Kudos’ and consider accepting it as a solution to assist other members in finding it more quickly.

Thank you for using the Microsoft Community Forum.

View solution in original post

Message 5 of 9
835 Views
0
8 REPLIES 8
Poojara_D12
Super User
Super User

‎05-29-2025 12:16 AM

Hi @ananda31 

Even with Dynamic RLS, you must add users (or AAD security groups) to the role in Power BI Service under Semantic Model → Security. This step activates RLS. The filtering stays dynamic using USERPRINCIPALNAME(), but assigning users to the role is still required for it to work.

 

Did I answer your question? Mark my post as a solution, this will help others!
If my response(s) assisted you in any way, don't forget to drop me a "Kudos"

Kind Regards,
Poojara - Proud to be a Super User
Data Analyst | MSBI Developer | Power BI Consultant
Consider Subscribing my YouTube for Beginners/Advance Concepts: https://youtube.com/@biconcepts?si=04iw9SYI2HN80HKS
Message 9 of 9
592 Views
0
v-kpoloju-msft
Community Support
Community Support

‎05-19-2025 04:30 AM

Hi @ananda31,
Thank you for reaching out to the Microsoft fabric community forum. Also @Cookistador, for his inputs on this thread. I have identified few workarounds that may help resolve the issue.

 

Thank you for your detailed question and commendable work on implementing Dynamic Row-Level Security (RLS) using a SQL-based user mapping and USERPRINCIPALNAME(). Your filtering logic is correctly configured.

Regarding your inquiry:

Even with Dynamic RLS, users must still be explicitly assigned to the RLS role in the Power BI Service under:

Semantic Model → More options → Security → Add members

This step activates RLS for those users. Once added, the DAX logic (like USERPRINCIPALNAME()) dynamically filters the data based on your SQL mapping.

To streamline the process of adding users, you can:

  • Add an Azure Active Directory (AAD) security group to the RLS role.
  • Manage user membership via the AAD group, which offers better scalability.
  • (Optional) Utilize Microsoft Entra ID dynamic groups, if available in your organization, to automate group membership based on attributes like department or title.

If this post helps, please give us ‘Kudos’ and consider accepting it as a solution to assist other members in finding it more quickly.

Thank you for using the Microsoft Community Forum.

Message 5 of 9
836 Views
0
v-kpoloju-msft
Community Support
Community Support
In response to v-kpoloju-msft

‎05-21-2025 09:14 PM

Hi @ananda31,

 

May I ask if you have resolved this issue? If so, please mark the helpful reply and accept it as the solution. This will be helpful for other community members who have similar problems to solve it faster.

Thank you.

Message 6 of 9
758 Views
0
v-kpoloju-msft
Community Support
Community Support
In response to v-kpoloju-msft

‎05-24-2025 09:25 PM

Hi @ananda31,

I wanted to check if you had the opportunity to review the information provided. Please feel free to contact us if you have any further questions. If my response has addressed your query, please accept it as a solution and give a 'Kudos' so other members can easily find it.
Thank you.

Message 7 of 9
716 Views
0
v-kpoloju-msft
Community Support
Community Support
In response to v-kpoloju-msft

‎05-27-2025 09:03 PM

Hi @ananda31,

I hope this information is helpful. Please let me know if you have any further questions or if you'd like to discuss this further. If this answers your question, please Accept it as a solution and give it a 'Kudos' so others can find it easily.
Thank you.

Message 8 of 9
662 Views
0
Cookistador
Super User
Super User

‎05-18-2025 09:37 PM

you can have some delay, Azure AD group membership changes don't propagate to Power BI Service instantly

 

Do you have many rls groups or only one?
If you have only one, you can use all users

Message 4 of 9
884 Views
0
ananda31
Frequent Visitor

‎05-18-2025 09:30 PM

I actually did check the data source and the user was a part of the groups already assigned to the RLS roles for that semantic model. Still they got an Access denied pop up stating that the user doesn't have access to the underlying dataset. The underlying dataset uses RLS

Message 3 of 9
902 Views
0
Cookistador
Super User
Super User

‎05-18-2025 09:24 PM

When you have to manually add someone as a member under the Semantic Model's security settings (Semantic Model -> More options → Security → Add members), it means those users aren't part of the groups already assigned to the RLS roles for that semantic model.

 

Typically, to make this easier and prevent individual additions – especially if your RLS covers everyone in the organization, or if the workspace itself already limits who has access – the recommended approach is to use a group that includes all relevant users. You can then assign this group to the RLS roles.

If you do not have this kind of group, you can also try to use the group all users

Message 2 of 9
910 Views
0

Helpful resources

Announcements
August Power BI Update Carousel

Power BI Monthly Update - August 2025

Check out the August 2025 Power BI update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All