How to Set Row Level Security in Power BI

Showing the right data to the right people is fundamental to effective reporting. With Power BI’s Row-Level Security (RLS), you can ensure that users only see the data they are authorized to view, all within the same report. This article will walk you through exactly how to set up both static and dynamic RLS to secure your data and deliver personalized report experiences.

Graphed

Still Building Reports Manually?

Watch how growth teams are getting answers in seconds — not days.

Watch the Demo

What Exactly is Row-Level Security?

Row-Level Security (RLS) is a Power BI feature that restricts data access for specific users. Think of it as a set of rules that filters your data based on who is viewing the report. Instead of creating dozens of separate reports for different people or teams, you build one master report and use RLS to control what each user sees.

For example, imagine a sales dashboard for your entire company. With RLS, the VP of Sales can see data from all regions. A regional manager for North America, however, will only see data for North American sales reps. And those individual reps? They'll only see their own sales figures. Everyone uses the same report, but their view is filtered automatically.

There are two primary ways to implement RLS in Power BI:

• Static RLS: You create fixed roles with simple filter rules. This method works well when you have a small, predictable number of groups, like "USA Team," "Canada Team," and "Europe Team."
• Dynamic RLS: The filter rules adapt based on the user's login credentials (like their email address). This is the preferred, scalable method for situations with many users, as it avoids the need to create hundreds of individual roles.

Method 1: Setting Up Static Row-Level Security

Static RLS is the most straightforward approach and is perfect for reports where your user groups don't change often. Let’s stick with our sales example and create roles for different sales regions.

Step 1: Open Your Report in Power BI Desktop

First things first, open the Power BI report file (.pbix) that you want to secure.

Graphed

Still Building Reports Manually?

Watch how growth teams are getting answers in seconds — not days.

Watch the Demo

Step 2: Go to Manage Roles

In the top ribbon, click on the Modeling tab. From there, you'll see a section for Security. Click on Manage Roles.

Step 3: Create Your Roles

The "Manage roles" window is where you'll define your security rules.

1. Click the Create button to add a new role.
2. Rename the new role to something descriptive. For our example, let's call it North America Sales.
3. Let's create another one for Europe and call it Europe Sales.

You now have two roles, but they don't do anything yet. The next step is to define the filter rules.

Step 4: Define the DAX Filter Expression

This is where the magic happens. You’ll use a simple DAX (Data Analysis Expressions) formula to tell Power BI how to filter the data for each role.

1. Select the North America Sales role.
2. Under "Tables," find the table that contains the data you want to filter (e.g., a table named Sales with a Region column).
3. In the "Table filter DAX expression" box, enter the following formula:

[Region] = "North America"

1. Now, select the Europe Sales role and apply its filter. In the same expression box, enter:

[Region] = "Europe"

This simple expression tells Power BI: "For a user in this role, only show rows in the Sales table where the value in the Region column is equal to 'North America'." After you add your expressions, click Save.

Step 5: Test and Validate Your Roles

Before publishing, you must test your roles to make sure they work correctly. Back on the Modeling tab, click View as.

The "View as" window will pop up, allowing you to see the report as if you were a user assigned to a specific role. Check the box for North America Sales and click OK. Your report will now reload, showing only data for the North America region. You can go back and test the Europe Sales role to confirm it works too. This is a crucial step to catch any mistakes before your users do.

Graphed

Still Building Reports Manually?

Watch how growth teams are getting answers in seconds — not days.

Watch the Demo

Method 2: Setting Up Dynamic Row-Level Security

Static RLS is great for a few roles, but what if you have 100 sales reps and you want each one to see only their own data? Creating 100 separate roles would be a nightmare. This is where Dynamic RLS shines. It uses a single role and filters the data based on the user's login email.

Step 1: Get Your Data Model Ready

Dynamic RLS requires a supporting table in your data model that maps users to what they're allowed to see. This is often called a permissions table or an employee lookup table. At a minimum, this table needs two columns:

• A column containing the user's email address (e.g., EmailAddress). This email must match the one they use to log into the Power BI service.
• A column containing the value you want to filter by (e.g., Salesperson_ID, Region, Country).

Here’s an example of a simple Employees table:

Make sure this table has a relationship to your main data table (e.g., the Employees table is related to the Sales table).

Step 2: Create a Single Dynamic Role

Just like before, go to Modeling > Manage Roles. Click "Create" and give your role a general name, like Sales Reps. We only need this one role to handle all users.

Step 3: Write the Dynamic DAX Expression

This is where dynamic RLS differs. We'll use a DAX function that automatically detects the logged-in user.

1. Select the Sales Reps role.
2. Find your permissions table (in our case, the Employees table).
3. In the "Table filter DAX expression" box, enter this formula:

[EmailAddress] = USERPRINCIPALNAME()

The USERPRINCIPALNAME() function is the key. When a user views the report in the Power BI service, this function returns their login email. The formula then filters the entire data model so they only see rows associated with their email record in the Employees table. Click Save.

Graphed

Still Building Reports Manually?

Watch how growth teams are getting answers in seconds — not days.

Watch the Demo

Step 4: Test the Dynamic Role

Click on View as under the Modeling tab again. This time, check the box for your Sales Reps role. Additionally, check the Other user box and enter the email address of a user from your permissions table (e.g., anna@yourcompany.com). Click OK.

Your report will update to show only the data for that specific user. You can test several different emails this way to confirm the dynamic filtering is working as expected.

Putting It All Together in the Power BI Service

Defining roles in Power BI Desktop is just the setup. To make it work for your users, you need to publish the report and assign people to the roles you created.

1. Publish Your Report: Once you're done testing, publish your report from Power BI Desktop to a workspace in the Power BI service.
2. Find the Dataset Settings: In the Power BI service, navigate to the workspace where you published the report. Find the dataset (not the report itself), click the three dots (...) next to it, and select Security.
3. Assign Users to Roles: On the Row-Level Security page, you'll see the roles you created (e.g., North America Sales, Sales Reps). Select a role, and then in the "Members" text box, start typing the email addresses of the users or security groups you want to assign to that role. Click Add, and then Save.

Now, when those users open the shared report, Power BI will apply the RLS rules, and they will only see the data you’ve permitted them to see.

Final Thoughts

Implementing Row-Level Security in Power BI transforms a single report into a personalized and secure analytics tool for your entire team. Whether you use the simple static approach for well-defined groups or the scalable dynamic method for individual users, RLS is a powerful way to govern data access without multiplying your workload.

Getting your data security just right is one part of a larger data challenge. We created Graphed because we believe the whole process - from connecting data sources to getting real answers - should be faster and simpler. Instead of wrestling with complex setups like RLS, we provide an AI analyst that lets you automatically generate real-time dashboards just by describing what you need in plain English. Your marketing and sales data gets connected, centralized, and ready for you to ask a question and get an instant visual answer, letting you and your team focus on business strategy, not BI configuration.