Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now! Learn more

Reply
YogeshWaran2010
Helper I
Helper I

Dynamic RLS with USERPRINCIPALNAME() works in Service “View as role”, but real users can’t access un

‎09-25-2025 05:36 AM

Hi Community,

I’m implementing row-level security (RLS) in Power BI Service with the following setup:

  • Tables

    • project_information → has column [insider] (0 or 1).

    • authorized_users → has column [upn] with UPNs of users who should see both 0 and 1.

  • RLS role (only on project_information)

VAR __IsAuthorized =
    LOWER(TRIM(USERPRINCIPALNAME())) IN
        SELECTCOLUMNS(authorized_users, "k", LOWER(TRIM(authorized_users[upn])))

RETURN IF(__IsAuthorized,
          TRUE(),                                // insiders see all
          project_information[insider] = 0       // outsiders see only 0
)

 

  • Expected behavior

    • If user’s UPN is in authorized_users → show insider = 0 and 1.

    • Otherwise → show only insider = 0.

  • What I observe in Service

    • Using Dataset → Security → Test as role works as expected.

    • Real users with Viewer role in the workspace still cannot open the report unless I also add them explicitly to the dataset’s security role. Otherwise they get:
      “You can’t see the content of this report because you don’t have permissions to the underlying dataset…”

    • If users are given Contributor/Member access in the workspace, they bypass RLS completely (see everything).

Questions

  1. Is it expected that every consumer must also be added to the dataset role in the Service?

  2. What is the best practice to avoid manual adds?

  3. Is there a way to test RLS as a real Viewer without giving up my edit rights as a Contributor?

 

 

Message 1 of 4
393 Views
0
1 ACCEPTED SOLUTION
tayloramy
Community Champion
Community Champion

‎09-25-2025 06:14 AM

Hi @YogeshWaran2010

 

1: yes, once RLS is enabled, only members with a role will be able to view data. 

2: use AD groups 

3: It is by design that users with workspace level roles contributor and higher bypass RLS. 

Workspace members assigned AdminMember, or Contributor have edit permission for the semantic model and, therefore, RLS doesn’t apply to them.

Row-level security (RLS) with Power BI - Microsoft Fabric | Microsoft Learn

 

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution

 

View solution in original post

Message 2 of 4
371 Views
3 REPLIES 3
tayloramy
Community Champion
Community Champion

‎09-25-2025 06:28 AM

Hi @YogeshWaran2010

 

Once a group is made in Entra ID, it can be added just like a user to the RLS role in a semantic model. 

 

This way users are added/removed via entra and not on the report individually. THis is useful when you have multiple reports with the same user groups. 

 

Entra ID groups can also be set up to be dynamic and rules can be applied to automatically assign membership. 

 

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution

 

 

Message 4 of 4
350 Views
tayloramy
Community Champion
Community Champion

‎09-25-2025 06:14 AM

Hi @YogeshWaran2010

 

1: yes, once RLS is enabled, only members with a role will be able to view data. 

2: use AD groups 

3: It is by design that users with workspace level roles contributor and higher bypass RLS. 

Workspace members assigned AdminMember, or Contributor have edit permission for the semantic model and, therefore, RLS doesn’t apply to them.

Row-level security (RLS) with Power BI - Microsoft Fabric | Microsoft Learn

 

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution

 

Message 2 of 4
372 Views
YogeshWaran2010
Helper I
Helper I
In response to tayloramy

‎09-25-2025 06:19 AM

@tayloramy ,

Thank you for your prompt response. It would be helpful if you could provide guidance on setting up the Active Directory groups in Azure, including documentation or implementation videos. Thank you.

Message 3 of 4
365 Views
0

Helpful resources

Announcements
Power BI DataViz World Championships

Power BI Dataviz World Championships

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now!

November Power BI Update Carousel

Power BI Monthly Update - November 2025

Check out the November 2025 Power BI update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All