Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Data Days is here! Join us now for 60+ days of learning, challenges, and connection. Learn more

Reply
osaz_nero
Regular Visitor

Dynamic RLS

‎06-03-2026 09:14 AM

Hi,

 

I have a rule to grant access based on hierarchy to Directors and Assistant directors to access rows where the person logged in matches the name of the person in either the Director's Email column or Assistant Director Email colum. And also grant special access to all report on the dash to specific users within the semantic model in the service, i have set up the row level security using the following code:

 

VAR CurrentUserEmail = LOWER(USERPRINCIPALNAME())

 

RETURN
    LOWER('Combined_Person_Post'[Director]) = CurrentUserEmail
    || LOWER('Combined_Person_Post'[Assistant Director]) = CurrentUserEmail
 
OsasOture_0-1780503173263.png
Labels:
Message 1 of 11
358 Views
0
1 ACCEPTED SOLUTION
v-tejrama
Community Support
Community Support
In response to osaz_nero

Tuesday

Hi @osaz_nero ,

 

You are correct that Dynamic RLS eliminates the need to hardcode or maintain user filters within DAX. However, users still need to be granted access to the appropriate role. Dynamic RLS controls data visibility after authorization but Power BI requires users to be assigned to an RLS role either directly or via an Entra ID security group.

To streamline user management it is best to assign a security group to the RLS role and manage group membership as needed. This way Dynamic RLS will automatically filter data for each user based on their email without requiring DAX updates when Directors or Assistant Directors change.

Thank you.

View solution in original post

Message 11 of 11
65 Views
10 REPLIES 10
osaz_nero
Regular Visitor

‎06-05-2026 12:09 AM

Thanks all but the issue is that the director and assistant director are not able to see the report on the dashboard. As I wanted this to be dynamic, I wonder if I have to assign emails to the role created?

Message 7 of 11
183 Views
0
v-tejrama
Community Support
Community Support
In response to osaz_nero

‎06-05-2026 01:56 AM

Hi @osaz_nero ,

 

Dynamic RLS does not require you to manually enter each Director or Assistant Director email in the DAX expression. The USERPRINCIPALNAME() function evaluates the current user and compares it to the values in your Director and Assistant Director columns.

However, users still need to be assigned to the RLS role in the Power BI Service. Dynamic RLS determines which rows are visible, but does not automatically grant access to the semantic model or report. If Directors or Assistant Directors cannot view the report, first confirm they are added to the role under Dataset Security and have access to the app, workspace, or report.

Additionally, ensure the email values in the Director and Assistant Director columns match exactly with the USERPRINCIPALNAME() value for each user. Differences in UPN format, aliases, or blank entries may prevent rows from displaying. You can use the View As feature in Power BI Desktop or Service to verify the RLS filter is working as expected for each user.

Once role assignments and email values are correct, dynamic RLS should function properly without the need to maintain a separate list of Director or Assistant Director emails in your DAX code.

Thank you.

Message 8 of 11
155 Views
0
v-tejrama
Community Support
Community Support
In response to v-tejrama

Sunday

Hi @osaz_nero ,

 

I wanted to check if you had the opportunity to review the information provided. Please feel free to contact us if you have any further questions.

Thank you.

Message 9 of 11
97 Views
osaz_nero
Regular Visitor
In response to v-tejrama

Monday

Thanks @v-tejrama ,

 

I was off work Thursday/Friday. Thanks for your feedback which is really helpful. My thought was that with the dynamic RLS, I won't need to assign users to the RLS role again. My goal was to eliminate the maunal adding of users to the RLS role or updating a group of users assigned to the RLS.

 

Thanks so much

Message 10 of 11
86 Views
0
v-tejrama
Community Support
Community Support
In response to osaz_nero

Tuesday

Hi @osaz_nero ,

 

You are correct that Dynamic RLS eliminates the need to hardcode or maintain user filters within DAX. However, users still need to be granted access to the appropriate role. Dynamic RLS controls data visibility after authorization but Power BI requires users to be assigned to an RLS role either directly or via an Entra ID security group.

To streamline user management it is best to assign a security group to the RLS role and manage group membership as needed. This way Dynamic RLS will automatically filter data for each user based on their email without requiring DAX updates when Directors or Assistant Directors change.

Thank you.

Message 11 of 11
66 Views
v-tejrama
Community Support
Community Support

‎06-04-2026 04:43 AM

Hi @osaz_nero ,

 

Your current RLS logic restricts access to rows where the logged in user's email matches either the Director or Assistant Director column. If you need to grant certain users access to all data it is advisable to maintain those users in a dedicated security table and reference their membership in the RLS expression. This approach simplifies ongoing maintenance as privileged users can be added or removed without modifying the DAX code.

While a hardcoded list of email addresses may work for a small group, it is less scalable. Additionally, DAX string comparisons are generally case insensitive, so the use of lower is not necessary unless normalization is specifically required. If privileged users should always have unrestricted access, you may also consider assigning them to a separate RLS role without row restrictions.

The most suitable method will depend on how often the privileged user list changes and your preferred security management strategy.

Thank you.

Message 6 of 11
227 Views
0
GilbertQ
Super User
Super User

‎06-03-2026 02:55 PM

Hi @osaz_nero 

 

One thing I would mention as to why are you using the lower. As far as I am aware there is no case sensitivity within the DAX engine.





Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

Message 5 of 11
279 Views
oussamahaimoud
Solution Sage
Solution Sage

‎06-03-2026 10:16 AM

Hi @osaz_nero,

Hope you're doing well!

 

Regarding your screenshoot, I can say your logic is OK. Which means Directors and Assistant Directors will only see rows where their email matches either column. That part works as expected.

 

For the special access, you just need to extend your RETURN block with an OR condition that checks against a hardcoded list of those privileged emails:

VAR CurrentUserEmail = LOWER(USERPRINCIPALNAME())

 

RETURN

    LOWER('Combined_Person_Post'[Director]) = CurrentUserEmail

        || LOWER('Combined_Person_Post'[Assistant Director]) = CurrentUserEmail

        || CurrentUserEmail IN {

            "user1@yourdomain.com",

            "user2@yourdomain.com",

            "user3@yourdomain.com"

        }

 

In order to have a solid RLS :

  • Make sure the emails in the IN {} list are lowercase, since you're already normalising USERPRINCIPALNAME() with LOWER(), a case mismatch will silently break access.
  • If the privileged users are also Directors or Assistant Directors in the data, the rule already covers them, but adding them to the whitelist explicitly doesn't hurt.
  • After saving, test in Power BI Service for both a standard Director and one of the whitelisted users to confirm each sees the right scope.

 

Assisted by AI for clarty of word!

 

Hope this helps! Don't forget to accept as solution and like it in order to keep helping others.

 

Best regards,

Oussama (Data Consultant - Expert Fabric & Power BI)


  Did my response help you? Clicking Kudos is a small gesture that goes a long way, it encourages contributors and helps the community thrive!


Did I answer your question? Please mark my post as a Solution, it helps others find the answer faster.


Senior Data & BI Consultant · Microsoft Fabric & Power BI Specialist


Connect with me on LinkedIn

Message 3 of 11
322 Views
osaz_nero
Regular Visitor
In response to oussamahaimoud

‎06-05-2026 12:08 AM

Thanks but the issue is that the director and assistant director are not able to see the rreport on the dashboard. As I wanted this to be dynamic, I wonder if I have to assign emails to the role created?

Message 4 of 11
183 Views
0
SaiTejaTalasila
Super User
Super User

‎06-03-2026 09:42 AM

Hi @osaz_nero ,

 

The rule you shared looks correct for restricting access based on Director and Assistant Director emails. To also allow special users full visibility, you can extend the condition with an additional or clause that checks against a list or table of privileged emails. This way, hierarchy-based filtering is preserved while exceptions are handled cleanly. Using a separate table for special users makes it easier to maintain without editing the DAX each time.

 

Thanks,

Sai Teja 

Message 2 of 11
341 Views

Helpful resources

Announcements
Fabric Data Days is here Carousel

Fabric Data Days 2026

Don't miss out on Data Days, June 15 through August 7. Learn Fabric, Power BI, SQL, AI and more.

May Power BI Update Carousel

Power BI Monthly Update - May 2026

Check out the May 2026 Power BI update to learn about new features.

Power BI DataViz World Championships carousel

Power BI DataViz World Championships - June 2026

A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.

View All