Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Power BI is turning 10! Let’s celebrate together with dataviz contests, interactive sessions, and giveaways. Register now.

Reply
SarahHope
Helper II
Helper II

Row Level Security (RLS) - Can I use this to restrict data for builders or just viewers?

‎04-25-2025 07:50 AM

My goal here is to be able to publish the same samantic model (dataset) to more than one workspace, but use RLS so that the users in each workspace can only see what they are allowed to see.  This will enable me to reuse datasets, rather than have to restrict them individually at the SQL level for each data source.

 

  •  Publish a centralized dataset
  • Let people self-serve and build reports
  • Restrict what data they can see and use

I have it working on the destkop side as far as testing with "view as", but it is not working on the Power BI Service (web) side.

I have

  • View level permissions at the workspace level (because I understand that Contributor is elevated and will override RLS)
  • Build level permissions on the dataset/semantic model
  • Added user to the RLS Security setting in the semantic model/dataset

My user can only see reports in the Workspace and not the semantic model that I gave her build access to.

If I give her contributor on the workspace, she can see ALL the data, not just hers.

 

Having her use power bi desktop is not an option.

 

Is there any way to accomplish what I want to do or is RLS just to control viewing of data?

 

Thanks!  
Sarah

 

Labels:
Message 1 of 9
682 Views
0
2 ACCEPTED SOLUTIONS
anilelmastasi
Solution Supplier
Solution Supplier

‎04-25-2025 08:43 AM

Hello @SarahHope ,

 

1. Publish your semantic model to a central workspace, say Workspace A.
2. Use roles with filters like: [Region] = USERPRINCIPALNAME(),
Assign users or security groups to these roles in Power BI Service → Dataset → Security.
3. Give “Build” Permission on the Dataset (Not the Workspace!)
-Go to Workspace A → Datasets → More options (⋯) → Manage permissions
-Give the users or their security group “Build” permission
-This allows them to build reports using the dataset but does not override RLS
4. In Workspace A, assign the users the Viewer role only
Viewer role + Build permission = Report creation + RLS respected
5. Create Reports in Other Workspaces
In Workspace B, your user can go to “Get data → Power BI Datasets”
They select the centralized dataset from Workspace A
They build reports in Workspace B — RLS is enforced automatically (because they’re not elevated in Workspace A)
6.Share reports via apps or workspace permissions
Again, ensure consumers in Workspace B also follow the Viewer + Build model if they’ll connect directly to the dataset

Notes:
-Do NOT give users Contributor or Member roles in Workspace A — this bypasses RLS
-Test RLS in Power BI Service by using “Test as role” in dataset security, not just “View as” in Desktop
-Use Azure AD groups where possible for easier RLS and permission management

 

If this solved your issue, please mark it as the accepted solution.

View solution in original post

Message 2 of 9
647 Views
rohit1991
Super User
Super User

‎04-26-2025 02:43 AM

Hi @SarahHope ,
Row Level Security (RLS) in Power BI is primarily designed to restrict viewing of data, not building or editing permissions. In your case, you're correctly trying to use RLS to allow users to self-serve reports while seeing only the data they are allowed to access, based on a centralized dataset. However, in Power BI Service, users who have "Build" permissions can create their own reports based on the dataset but still respect the RLS rules you set — as long as they only have "Viewer" or "Build" access and not elevated workspace roles like "Contributor," which override RLS and grant full data access.

 

Your issue arises because workspace roles like "Contributor" inherently bypass RLS restrictions. To accomplish your goal, make sure users only have "Viewer" role at the workspace level and "Build" permission on the dataset separately through Manage Permissions, not by promoting their workspace role.

 

This setup lets them build reports from the dataset (using "Get data" > "Power BI datasets") while still being restricted by RLS when they view or interact with the data. You're very close — it's just about balancing the right permissions between workspace role and dataset access.

 

Passionate about leveraging data analytics to drive strategic decision-making and foster business growth.

Connect with me on LinkedIn: Rohit Kumar.

View solution in original post

Message 6 of 9
599 Views
8 REPLIES 8
v-venuppu
Community Support
Community Support

‎05-04-2025 11:48 PM

Hi @SarahHope ,

I hope this information is helpful. Please let me know if you have any further questions or if you'd like to discuss this further. If this answers your question, please accept it as a solution and give it a 'Kudos' so other community members with similar problems can find a solution faster.

Thank you.

Message 9 of 9
446 Views
0
v-venuppu
Community Support
Community Support

‎05-02-2025 12:12 AM

Hi @SarahHope ,

I wanted to check if you had the opportunity to review the information provided. Please feel free to contact us if you have any further questions. If my response has addressed your query, please accept it as a solution and give a 'Kudos' so other members can easily find it.

Thank you.

Message 8 of 9
510 Views
0
v-venuppu
Community Support
Community Support

‎04-28-2025 11:38 PM

Hi @SarahHope ,

Thank you @rohit1991 @Tutu_in_YYC @anilelmastasi for the prompt response.

May I ask if you have resolved this issue? If so, please mark the helpful reply and accept it as the solution. This will be helpful for other community members who have similar problems to solve it faster.

Thank you.

Message 7 of 9
541 Views
rohit1991
Super User
Super User

‎04-26-2025 02:43 AM

Hi @SarahHope ,
Row Level Security (RLS) in Power BI is primarily designed to restrict viewing of data, not building or editing permissions. In your case, you're correctly trying to use RLS to allow users to self-serve reports while seeing only the data they are allowed to access, based on a centralized dataset. However, in Power BI Service, users who have "Build" permissions can create their own reports based on the dataset but still respect the RLS rules you set — as long as they only have "Viewer" or "Build" access and not elevated workspace roles like "Contributor," which override RLS and grant full data access.

 

Your issue arises because workspace roles like "Contributor" inherently bypass RLS restrictions. To accomplish your goal, make sure users only have "Viewer" role at the workspace level and "Build" permission on the dataset separately through Manage Permissions, not by promoting their workspace role.

 

This setup lets them build reports from the dataset (using "Get data" > "Power BI datasets") while still being restricted by RLS when they view or interact with the data. You're very close — it's just about balancing the right permissions between workspace role and dataset access.

 

Passionate about leveraging data analytics to drive strategic decision-making and foster business growth.

Connect with me on LinkedIn: Rohit Kumar.

Message 6 of 9
600 Views
Tutu_in_YYC
Super User
Super User

‎04-25-2025 12:49 PM

Can you let us know how you are setting the RLS? The DAX statement.

Message 5 of 9
627 Views
0
anilelmastasi
Solution Supplier
Solution Supplier

‎04-25-2025 08:43 AM

Hello @SarahHope ,

 

1. Publish your semantic model to a central workspace, say Workspace A.
2. Use roles with filters like: [Region] = USERPRINCIPALNAME(),
Assign users or security groups to these roles in Power BI Service → Dataset → Security.
3. Give “Build” Permission on the Dataset (Not the Workspace!)
-Go to Workspace A → Datasets → More options (⋯) → Manage permissions
-Give the users or their security group “Build” permission
-This allows them to build reports using the dataset but does not override RLS
4. In Workspace A, assign the users the Viewer role only
Viewer role + Build permission = Report creation + RLS respected
5. Create Reports in Other Workspaces
In Workspace B, your user can go to “Get data → Power BI Datasets”
They select the centralized dataset from Workspace A
They build reports in Workspace B — RLS is enforced automatically (because they’re not elevated in Workspace A)
6.Share reports via apps or workspace permissions
Again, ensure consumers in Workspace B also follow the Viewer + Build model if they’ll connect directly to the dataset

Notes:
-Do NOT give users Contributor or Member roles in Workspace A — this bypasses RLS
-Test RLS in Power BI Service by using “Test as role” in dataset security, not just “View as” in Desktop
-Use Azure AD groups where possible for easier RLS and permission management

 

If this solved your issue, please mark it as the accepted solution.

Message 2 of 9
648 Views
Lamasta
New Member
In response to anilelmastasi

‎05-07-2025 01:23 AM

They can't see semantic models as viewers how do they build ?

Message 3 of 9
402 Views
0
Tutu_in_YYC
Super User
Super User
In response to Lamasta

‎05-07-2025 07:57 AM

They can still access the semantic model through power bi desktop or the onelake catalog.

Message 4 of 9
388 Views
0

Helpful resources

Announcements
June 2025 Power BI Update Carousel

Power BI Monthly Update - June 2025

Check out the June 2025 Power BI update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All