Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now! Learn more

Reply
souzarodrigo
Regular Visitor

Issues with dynamic RLS and hybrid table

‎11-20-2025 02:14 PM

Hello community. I have a fact table with more than 100 million records, so I created two partitions in the semantic model: one in Import mode with a relative date range (hot partition) and another in DQ mode (cold partition), but I am having issues the RLS. Even though a query returns only 100k records, for example, I receive the 1 million limit error on my visuals. Tracing the queries submitted to the source, I noticed Power BI sends an additional query to the database without any filters and this specific query returns more than 1M rows. I believe it is related to RLS because this extra query returns a single column which is the column used as filter condition on dynamic RLS. Also, if I switch to static RLS or without RLS at all, it works perfectly. I could not find anything here or on documentation related to this so, I would like to know if anyone have ever faced similar issues and how to solve it. Thank you!

Labels:
Message 1 of 6
402 Views
0
1 ACCEPTED SOLUTION
v-sgandrathi
Community Support
Community Support

‎11-24-2025 09:10 PM

Hi @souzarodrigo,

 

Thank you for your detailed update. You are correct, when dynamic RLS is used with a small security mapping table, Hybrid (Import + DirectQuery) partitions can still cause a full DirectQuery scan if a visual includes a field from the fact table. This happens because the engine checks row-level permissions across all partitions, and if RLS could impact rows in the DirectQuery part, Power BI sends an extra security validation query to the DirectQuery partition, regardless of the user’s filters.

This means dynamic RLS can still hit the 1-million-row DirectQuery limit. This is a known limitation of dynamic RLS with Hybrid tables, not a modelling issue. Static RLS works since the model resolves security at design time, avoiding the extra query. If possible, moving dynamic RLS to the source database is the most reliable workaround for large Hybrid tables. Other options include applying sensitive filters to fully imported dimensions or avoiding fact-level fields in the RLS logic. Thanks for sharing your findings, they’ll be helpful for others in similar situations.

 

Thank you.

View solution in original post

Message 6 of 6
229 Views
0
5 REPLIES 5
v-sgandrathi
Community Support
Community Support

‎11-24-2025 09:10 PM

Hi @souzarodrigo,

 

Thank you for your detailed update. You are correct, when dynamic RLS is used with a small security mapping table, Hybrid (Import + DirectQuery) partitions can still cause a full DirectQuery scan if a visual includes a field from the fact table. This happens because the engine checks row-level permissions across all partitions, and if RLS could impact rows in the DirectQuery part, Power BI sends an extra security validation query to the DirectQuery partition, regardless of the user’s filters.

This means dynamic RLS can still hit the 1-million-row DirectQuery limit. This is a known limitation of dynamic RLS with Hybrid tables, not a modelling issue. Static RLS works since the model resolves security at design time, avoiding the extra query. If possible, moving dynamic RLS to the source database is the most reliable workaround for large Hybrid tables. Other options include applying sensitive filters to fully imported dimensions or avoiding fact-level fields in the RLS logic. Thanks for sharing your findings, they’ll be helpful for others in similar situations.

 

Thank you.

Message 6 of 6
230 Views
0
souzarodrigo
Regular Visitor

‎11-24-2025 01:45 PM

Hi @v-sgandrathi and @lbendlin, Thank you so much for your inputs here. I tried with your suggestion for best practices and apply the RLS to a smaller table, but without success. I used dynamic RLS with a security mapping table that relates to my users table, both in Dual mode, related to the fact table which is in Hybrid mode (simple star schema, 1 to many relationships). I was expecting the relationship would filter the data in fact table for both partitions resolving for either for the DQ query or the Vertipac query, but seems that if I add any field from the fact in the visual, it generates the additional DQ query. Seems to be a limitation on Hybrid tables security. Everything works perfectly with static RLS. We will test also moving the RLS to the source DB and evaluate on how to proceed. Thank you again. 

Message 5 of 6
239 Views
0
v-sgandrathi
Community Support
Community Support

‎11-23-2025 08:05 PM

Hi @souzarodrigo,

 

Just wanted to follow up and confirm that everything has been going well on this. Please let me know if there’s anything from our end.
Please feel free to reach out Microsoft fabric community forum.

 

Thank you.

Message 4 of 6
254 Views
0
v-sgandrathi
Community Support
Community Support

‎11-21-2025 02:08 AM

Hi @souzarodrigo,

Thank you @lbendlin for your response to the query.

Dynamic RLS can create problems in hybrid tables due to how Power BI checks security rules before displaying data. When RLS is applied directly to a large fact table, particularly one with a DirectQuery partition, Power BI runs an extra background query to see which rows a user can access. This query isn't filtered by visuals, date slicers, or partitions, so it scans the entire fact table and only retrieves the column used in the RLS condition. If the table has millions of rows, this unfiltered check can go over the DirectQuery one million row limit, even if the final result is much smaller. That's why you might see a "1M row limit" error on visuals, even if the actual data returned is less.

This issue doesn't happen with static RLS or when RLS isn't used, since Power BI doesn't need this large security check. The problem is specific to dynamic RLS on fact-level fields. The recommended approach is to set up dynamic RLS on a small imported dimension table, such as a user access or security mapping table. Power BI then uses the relationship between this table and the fact table to filter data, avoiding a large security query. This setup prevents scanning the entire fact table and avoids hitting the 1M-row DirectQuery limit. It also follows best practices for security, improves performance, and ensures reliable hybrid table operation.

If needed, further details can be added about query folding, cardinality, or hybrid table storage modes.

 

Thank you.

Message 3 of 6
337 Views
0
lbendlin
Super User
Super User

‎11-20-2025 04:43 PM 
so I created two partitions in the semantic model: one in Import mode with a relative date range (hot partition) and another in DQ mode (cold partition),

I don't think that is possible. The Direct Query partition in a standard incremental refresh can only be the "hot"  TODAY()  UTC partition.

 

Did you mean to say aggregrations?

Message 2 of 6
366 Views
0

Helpful resources

Announcements
Power BI DataViz World Championships

Power BI Dataviz World Championships

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now!

December 2025 Power BI Update Carousel

Power BI Monthly Update - December 2025

Check out the December 2025 Power BI Holiday Recap!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All