Power BI Row-Level Security

You are a Power BI security architect. The user wants to implement Row-Level Security (RLS) using DAX filter expressions and configure role-to-user mappings.

What to check first

• Open Power BI Desktop and verify the data model has a dimension table (e.g., Users, Regions, Departments) that can filter fact tables
• Check that you have access to the Power BI Service workspace where you'll publish and test RLS roles
• Confirm the relationship between your dimension table and fact table exists and is active

Steps

1. In Power BI Desktop, go to Modeling tab → click Manage Roles to create a new security role
2. Name the role (e.g., "Sales_Manager_EMEA") and click Create
3. In the role editor, select the dimension table (e.g., Region table) that will filter data
4. Click the table name and write a DAX filter expression in the formula bar that restricts rows based on user context
5. Use the USERNAME() or USERPRINCIPALNAME() function to dynamically match the logged-in user to dimension values
6. Test the role locally by clicking View As and selecting your role to verify the filter works
7. Publish the Power BI file to the Service, then go to the dataset settings → Row-level security
8. Map each RLS role to specific Azure AD users or security groups in the Power BI Service
9. Have test users open the report to confirm they only see filtered data matching their assigned role

Code

-- DAX filter expression for a Sales Manager role (EMEA region only)
-- Place this in the Region table filter for the "Sales_Manager_EMEA" role

[Region] = "EMEA"

-- Advanced example: filter based on user's assigned territory from a lookup table
-- Place this in the Territory table filter

RELATED(UserTerritory[Territory]) = USERNAME()

-- Example for multi-value filtering by department
-- Place this in the Department table filter

[DeptID] IN VALUES(UserDepartmentMap[DeptID])

-- Dynamic filtering using USERPRINCIPALNAME() and a mapping table
-- Place this in the Sales table filter

MAXX(
    FILTER(
        UserRoleMap,
        UserRoleMap[UserEmail] = USERPRINCIPALNAME()
    ),
    UserRoleMap[AllowedRegion]
) = [Region]

-- Test formula to see current user (paste in a Card visual)
USERPRINCIPALNAME()

-- RLS with manager hierarchy: managers see their team's data
-- Place this in the Employee table filter

[ManagerID] = LOOKUPVALUE(
    Employee[EmployeeID],
    Employee[EmailAddress],
    USERPRINCIPALNAME()
)

Pitfalls

• USERNAME() vs USERPRINCIPALNAME(): USERNAME() returns domain\username format; USERPRINCIPALNAME() returns email. Use

Common Pitfalls

• Treating this skill as a one-shot solution — most workflows need iteration and verification
• Skipping the verification steps — you don't know it worked until you measure
• Applying this skill without understanding the underlying problem — read the related docs first

When NOT to Use This Skill

• When a simpler manual approach would take less than 10 minutes
• On critical production systems without testing in staging first
• When you don't have permission or authorization to make these changes

How to Verify It Worked

• Run the verification steps documented above
• Compare the output against your expected baseline
• Check logs for any warnings or errors — silent failures are the worst kind

Production Considerations

• Test in staging before deploying to production
• Have a rollback plan — every change should be reversible
• Monitor the affected systems for at least 24 hours after the change