Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Learn from the best! Meet the four finalists headed to the FINALS of the Power BI Dataviz World Championships! Register now

Reply
YogeshWaran2010
Helper I
Helper I

Dynamic RLS with USERPRINCIPALNAME() works in Service “View as role”, but real users can’t access un

‎09-25-2025 05:36 AM

Hi Community,

I’m implementing row-level security (RLS) in Power BI Service with the following setup:

  • Tables

    • project_information → has column [insider] (0 or 1).

    • authorized_users → has column [upn] with UPNs of users who should see both 0 and 1.

  • RLS role (only on project_information)

VAR __IsAuthorized =
    LOWER(TRIM(USERPRINCIPALNAME())) IN
        SELECTCOLUMNS(authorized_users, "k", LOWER(TRIM(authorized_users[upn])))

RETURN IF(__IsAuthorized,
          TRUE(),                                // insiders see all
          project_information[insider] = 0       // outsiders see only 0
)

 

  • Expected behavior

    • If user’s UPN is in authorized_users → show insider = 0 and 1.

    • Otherwise → show only insider = 0.

  • What I observe in Service

    • Using Dataset → Security → Test as role works as expected.

    • Real users with Viewer role in the workspace still cannot open the report unless I also add them explicitly to the dataset’s security role. Otherwise they get:
      “You can’t see the content of this report because you don’t have permissions to the underlying dataset…”

    • If users are given Contributor/Member access in the workspace, they bypass RLS completely (see everything).

Questions

  1. Is it expected that every consumer must also be added to the dataset role in the Service?

  2. What is the best practice to avoid manual adds?

  3. Is there a way to test RLS as a real Viewer without giving up my edit rights as a Contributor?

 

 

Message 1 of 4
681 Views
0
1 ACCEPTED SOLUTION
tayloramy
Super User
Super User

‎09-25-2025 06:14 AM

Hi @YogeshWaran2010

 

1: yes, once RLS is enabled, only members with a role will be able to view data. 

2: use AD groups 

3: It is by design that users with workspace level roles contributor and higher bypass RLS. 

Workspace members assigned AdminMember, or Contributor have edit permission for the semantic model and, therefore, RLS doesn’t apply to them.

Row-level security (RLS) with Power BI - Microsoft Fabric | Microsoft Learn

 

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution

 





If you found this helpful, consider giving some Kudos.
If I answered your question or solved your problem, mark this post as the solution!

Proud to be a Super User!



View solution in original post

Message 2 of 4
659 Views
3 REPLIES 3
tayloramy
Super User
Super User

‎09-25-2025 06:28 AM

Hi @YogeshWaran2010

 

Once a group is made in Entra ID, it can be added just like a user to the RLS role in a semantic model. 

 

This way users are added/removed via entra and not on the report individually. THis is useful when you have multiple reports with the same user groups. 

 

Entra ID groups can also be set up to be dynamic and rules can be applied to automatically assign membership. 

 

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution

 

 





If you found this helpful, consider giving some Kudos.
If I answered your question or solved your problem, mark this post as the solution!

Proud to be a Super User!



Message 4 of 4
638 Views
tayloramy
Super User
Super User

‎09-25-2025 06:14 AM

Hi @YogeshWaran2010

 

1: yes, once RLS is enabled, only members with a role will be able to view data. 

2: use AD groups 

3: It is by design that users with workspace level roles contributor and higher bypass RLS. 

Workspace members assigned AdminMember, or Contributor have edit permission for the semantic model and, therefore, RLS doesn’t apply to them.

Row-level security (RLS) with Power BI - Microsoft Fabric | Microsoft Learn

 

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution

 





If you found this helpful, consider giving some Kudos.
If I answered your question or solved your problem, mark this post as the solution!

Proud to be a Super User!



Message 2 of 4
660 Views
YogeshWaran2010
Helper I
Helper I
In response to tayloramy

‎09-25-2025 06:19 AM

@tayloramy ,

Thank you for your prompt response. It would be helpful if you could provide guidance on setting up the Active Directory groups in Azure, including documentation or implementation videos. Thank you.

Message 3 of 4
653 Views
0

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

Share feedback directly with Fabric product managers, participate in targeted research studies and influence the Fabric roadmap.

February Power BI Update Carousel

Power BI Monthly Update - February 2026

Check out the February 2026 Power BI update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All