How to Apply RLS in Power BI Service
Need to control who sees what in your Power BI reports? Row-Level Security (RLS) is the feature you’re looking for. It lets you create one master report but intelligently show different data to different users, ensuring people only see the information relevant to them. This guide will walk you through exactly how to define your security rules in Power BI Desktop and then apply them in Power BI Service.
What is Row-Level Security (RLS)?
Row-Level Security, or RLS, is a data governance feature that limits data access for specific users at the data row level. Think of it as a smart, automated filter that's applied based on who is logged in and viewing the report. Instead of building ten different reports for ten different regional managers, you can build one report and use RLS to ensure each manager only sees sales figures for their specific region.
This is incredibly useful for:
- Data Confidentiality: Preventing team members from seeing sensitive data outside their scope, like sales reps only viewing their own accounts.
- Regulatory Compliance: Meeting data privacy standards like GDPR by restricting access to personal information.
- Simplified Reporting: Maintaining a single report for your entire organization, which drastically cuts down on maintenance and potential errors.
Part 1: Setting Up RLS Roles in Power BI Desktop
Your journey with RLS begins in Power BI Desktop. This is where you'll define the "rules" or "roles" that determine who gets to see what. These rules are then published to Power BI Service, where you assign actual users to them.
Step 1: Open Your Report in Power BI Desktop
First, open the Power BI file (.pbix) that contains the data and visuals you want to secure. We'll be working with a sample sales report that includes data for multiple countries.
Step 2: Create Roles Using "Manage Roles"
Once your report is open, head over to the Modeling tab in the ribbon at the top of the screen. Look for the "Security" section and click on Manage Roles.
The "Manage roles" window will appear. Here, you can create, modify, or delete the roles for your report.
- Click the Create button.
- Give your new role a descriptive name. For our example, let's call it Canada Sales.
- Repeat the process to create a second role named USA Sales. You should now have two roles listed in the Roles pane.
Free PDF · the crash course
AI Agents for Marketing Crash Course
Learn how to deploy AI marketing agents across your go-to-market — the best tools, prompts, and workflows to turn your data into autonomous execution without writing code.
Step 3: Define DAX Filter Expressions
With your roles created, it's time to define the filter rules using DAX (Data Analysis Expressions). Don't worry, you don't need to be a DAX expert for basic RLS.
In the "Manage roles" window:
- Select the Canada Sales role.
- In the Tables pane to the right, find the table you want to filter. Let's say we have a table called 'Sales'.
- Click the three dots (...) next to the 'Sales' table and select Add filter, then choose the column you want to filter by — in this case, Country.
- In the Table filter DAX expression box, you will now see
[Country] = "Value". Replace "Value" with the actual value for your filter. The final expression should be:
This simple formula tells Power BI: "For anyone assigned to the Canada Sales role, only show rows in the 'Sales' table where the 'Country' column is 'Canada'."
Now, repeat the process for your USA Sales role with the following expression:
[Country] = "USA"
Once you've defined the rules for all your roles, click Save.
Step 4: Validate Your Roles with "View as"
Before publishing, it’s essential to test your roles to make sure they work as expected. Power BI Desktop has a great built-in feature for this.
- On the Modeling tab, click View as.
- In the "View as roles" window, select one of the roles you created, like Canada Sales.
- Click OK.
You’ll now see a yellow banner at the top of your report indicating that you are viewing the report as the "Canada Sales" role. All the charts, tables, and slicers in your report should instantly update to show data only for Canada. To revert back, just click "Stop viewing" on the yellow banner.
A Quick Look at Dynamic RLS
The method we just covered is called Static RLS. It's perfect when you have a handful of distinct teams. But what if you have 200 sales reps and want each person to only see their own sales data? Creating 200 different roles would be a nightmare.
This is where Dynamic RLS comes in. It uses a single rule that automatically filters data based on the user's login email.
Instead of hardcoding a value like "Canada", you’d use a DAX function called USERPRINCIPALNAME(). This function returns the email address of the person currently viewing the report in Power BI Service.
A common setup for dynamic RLS involves a mapping table that links user emails to the data they're allowed to see (e.g., a table with Email and Country columns). Your DAX rule for a single "Sales Repr" role might then look something like this:
[Email] = USERPRINCIPALNAME()
This versatile rule handles all 200 reps without needing any additional roles. When a rep logs into Power BI Service, the system identifies their email, finds it in your mapping table, and filters the sales data accordingly.
Part 2: Applying and Managing RLS in Power BI Service
Now that your roles are defined and tested in Power BI Desktop, you’re ready for the final steps: publishing the report and assigning users in the Power BI Service.
Step 1: Publish Your Report to Power BI Service
Back in Power BI Desktop, go to the Home tab and click the Publish button. You'll be prompted to select a destination workspace in your Power BI account. Choose your workspace and click "Select." Once it's published, you're ready to manage security.
Step 2: Navigate to the Dataset Security Settings
Log in to your Power BI account (app.powerbi.com) and navigate to the workspace where you just published your report.
It's important to remember that RLS is applied to the dataset, not the report itself. Find your dataset in the workspace, hover over it, click the three-dot menu (...), and select Security.
Step 3: Assign Users or Groups to Roles
The "Row-Level Security" page will show a list of the roles you created in Power BI Desktop (e.g., Canada Sales and USA Sales). Now you can assign people to these roles.
- Select the Canada Sales role.
- In the text box, start typing the email address of the individual or Microsoft 365 security group you want to add to this role.
- Select the correct user or group from the list, then click Add.
- Finally, click Save.
Repeat this process to assign users to your other roles. Now, when these users view the published report, their view will be automatically filtered based on the role you assigned them to.
Free PDF · the crash course
AI Agents for Marketing Crash Course
Learn how to deploy AI marketing agents across your go-to-market — the best tools, prompts, and workflows to turn your data into autonomous execution without writing code.
Step 4: How to Test Your RLS Setup in Power BI Service
What if you need to double-check that everything is configured correctly in the service? You can test the experience without having to log in as another user.
On the same "Row-Level Security" page:
- Click the three-dot menu (...) next to the role name you want to test.
- Select Test as role.
This will open your report, filtered as if you were a member of that role. This is the best way to confirm that your security settings are working exactly as intended before notifying your team.
Common RLS Pitfalls and Best Practices
Implementing RLS is fairly straightforward, but here are a few things to watch out for:
- Workspace Roles override RLS: This is a big one. Anyone assigned an "Admin," "Member," or "Contributor" role in a Power BI workspace will be able to see all data in the dataset, regardless of RLS rules. For RLS to apply, users must be assigned the Viewer role in the workspace.
- Performance impact: Complex DAX rules for RLS can sometimes slow down report performance, especially with large datasets. Keeping your DAX expressions simple and your data model efficient will help.
- Data model relationships: RLS filters propagate through the relationships in your data model. Ensure your table relationships are set up correctly on a "one-to-many" or "one-to-one" basis with the correct filter direction.
Final Thoughts
Row-Level Security is a powerful, must-have feature for deploying secure, scalable, and personalized reports in Power BI. By creating rules in Power BI Desktop and assigning users to those roles in Power BI Service, you can maintain a single, clean version of your report while ensuring sensitive data remains protected.
While mastering the security features in a tool like Power BI is a huge asset, it's just one part of the data landscape. Sometimes, the real-time-to-insight comes from not having to build complex models at all. That’s why we created Graphed. We connect directly to your marketing and sales tools like Google Analytics, Shopify, and Salesforce, allowing you to use simple, natural language to build dashboards instantly. Instead of spending hours defining security rules, you can ask a question like, "Show me last month's sales by rep for the US team," and get a live, shareable report in seconds.
Related Articles
Facebook Ads for Auto Repair Shops: The Complete 2026 Strategy Guide
Learn how to run Facebook ads for auto repair shops in 2026. Discover targeting strategies, budget recommendations, ad creative tips, and proven tactics to fill your appointment book consistently.
Facebook Ads for Realtors: The Complete 2026 Strategy Guide
Discover how to use Facebook Ads for realtors to generate more leads in 2026. Learn proven strategies, targeting methods, and budget recommendations for your real estate business.
Facebook Ads for Accountants: The Complete 2026 Strategy Guide
Learn how to use Facebook ads for accountants to attract new clients in 2026. Discover targeting strategies, campaign setup, budgeting, and optimization techniques.