Row-level security (RLS) with Power BI Desktop
Row-level security (RLS) with Power BI Desktop restricts data access for given users. Filters restrict data at the row level. You can define filters within roles.
You can now configure RLS for data models imported into Power BI with Power BI Desktop. You can also configure RLS on datasets that are using DirectQuery, such as SQL Server. Previously, you were only able to implement RLS within on-premises Analysis Services models outside of Power BI. For Analysis Services live connections, you configure Row-level security on the on-premises model. The security option does not show up for live connection datasets.
If you defined roles and rules within the Power BI service, you will need to recreate those roles within Power BI Desktop and publish the report to the service.
Learn more about options for RLS within the Power BI Service.
Define roles and rules within Power BI Desktop
You can define roles and rules within Power BI Desktop. When you publish to Power BI, it will also publish the role definitions.
To define security roles, you can do the following.
Import data into your Power BI Desktop report, or configure a DirectQuery connection.
You cannot define roles within Power BI Desktop for Analysis Services live connections. You will need to do that within the Analysis Services model.
Select the Modeling tab.
Select Manage Roles.
Provide a name for the role.
Select the table that you want to apply a DAX rule.
Enter the DAX expressions. This expression should return a true or false. For example: [Entity ID] = “Value”.
You can use username() within this expression. Be aware that username() will have the format of DOMAIN\username within Power BI Desktop. Within the Power BI service, it will be in the format of the user's UPN. Alternatively, you can use userprincipalname(), which always returns the user in the format of their user principal name.
After you have created the DAX expression, you can select the check above the expression box to validate the expression.
You cannot assign users to a role within Power BI Desktop. This is done within the Power BI service. You can enable dynamic security within Power BI Desktop by making use of the username() or userprincipalname() DAX functions and having the proper relationships configured.
Validating the role within Power BI Desktop
After you have created your role, you can test the results of the role within Power BI Desktop. To do this, select View As Roles.
The View as roles dialog lets you change the view of what you're seeing for that specific user or role. You can see the roles you've created.
Select the role you created and then select OK to apply that role to what you're viewing. The reports only render the data relevant for that role.
You can also select Other user and supply a given user. It is best to supply the User Principal Name (UPN) as that is what the Power BI service uses. Select OK and the reports render based on what that user can see.
Within Power BI Desktop, this only displays different results if you are using dynamic security based on your DAX expressions.
Following is a list of the current limitations for row-level security on cloud models.
- If you previously had roles and rules defined within the Power BI service, you will need to recreate them within Power BI Desktop.
- You can define RLS only on the datasets created using Power BI Desktop client. If you want to enable RLS for datasets created with Excel, you will need to convert your files into PBIX files first. Learn more
- Only ETL and DirectQuery connections are supported. Live connections to Analysis Services are handled in the on-premises model.
- Q&A and Cortana is not supported with RLS at this time. You will not see the Q&A input box for dashboards if all models have RLS configured. This is on the roadmap, but a timeline is not available.
- For any given model, the maximum number of Azure AD principals (that is, individual users or security groups) that can be assigned to security roles is 1,000. To assign large numbers of users to roles, be sure to assign security groups, rather than individual users.
There is a known issue where an error message results when trying to publish from Power BI Desktop if it was previously published. The scenario is as follows.
- Anna has a dataset that is publised to the Power BI service and has configured RLS.
- Anna updates the report in Power BI Desktop and re-publishes.
- Anna receives an error.
Workaround: Re-publish the Power BI Desktop file from the Power BI service until this issue is resolved. You can do that by selecting Get Data > Files.
Question: What if I had previously created roles and rules for a dataset in the Power BI service? Will they still work if I do nothing?
Answer: No. Visuals will not render properly. You will have to re-create the roles and rules within Power BI Desktop and then publish to the Power BI service.
Question: Can I create these roles for Analysis Services data sources?
Answer: You can if you imported the data into Power BI Desktop. If you are using a live connection, you will not be able to configure RLS within the Power BI service. This is defined within the Analysis Services model on-premises.
Question: Can I use RLS to limit the columns or measures accessible by my users?
Answer: No. If a user has access to a particular row of data, they can see all the columns of data for that row.
Question: Does RLS let me hide detailed data but give access to data summarized in visuals?
Answer: No, you secure individual rows of data but users can always see either the details or the summarized data.
More questions? Try asking the Power BI Community