Row-level security (RLS) with Power BI
Row-level security (RLS) with Power BI can be used to restrict data access for given users. Filters restrict data at the row level. You can define filters within roles.
You can configure RLS for data models imported into Power BI with Power BI Desktop. You can also configure RLS on datasets that are using DirectQuery, such as SQL Server. Previously, you were only able to implement RLS within on-premises Analysis Services models outside of Power BI. For Analysis Services live connections, you configure Row-level security on the on-premises model. The security option will not show up for live connection datasets.
Define roles and rules within Power BI Desktop
You can define roles and rules within Power BI Desktop. When you publish to Power BI, it will also publish the role definitions.
To define security roles, you can do the following.
Import data into your Power BI Desktop report, or configure a DirectQuery connection.
You cannot define roles within Power BI Desktop for Analysis Services live connections. You will need to do that within the Analysis Services model.
- Select the Modeling tab.
Select Manage Roles.
- Provide a name for the role.
- Select the table that you want to apply a DAX rule.
Enter the DAX expressions. This expression should return a true or false. For example: [Entity ID] = “Value”.
You can use username() within this expression. Be aware that username() will have the format of DOMAIN\username within Power BI Desktop. Within the Power BI service, it will be in the format of the user's UPN. Alternatively, you can use userprincipalname() which will always return the user in the format of their user principal name.
After you have created the DAX expression, you can select the check above the expression box to validate the expression.
- Select Save.
You cannot assign users to a role within Power BI Desktop. This is done within the Power BI service. You can enable dynamic security within Power BI Desktop by making use of the username() or userprincipalname() DAX functions and having the proper relationships configured.
By default, row-level security filtering uses single-directional filters, regardless of whether the relationships are set to single direction or bi-directional. You can manually enable bi-directional cross-filter with row-level security by selecting the relationship and checking the Apply security filter in both directions checkbox. You should check this box when implementing dynamic row-level security, wherein you provide row-level security based on user name or login ID.
For more information, see Bidirectional cross-filtering using DirectQuery in Power BI Desktop and the Securing the Tabular BI Semantic Model technical article.
Validating the role within Power BI Desktop
After you have created your role, you can test the results of the role within Power BI Desktop. To do this, select View As Roles.
The View as roles dialog allows you to change the view of what you are seeing for that specific user or role. You will see the roles you have created.
You select the role you created and then select OK to apply that role to what you are viewing. The reports will only render the data relevant for that role.
You can also select Other user and supply a given user. It is best to supply the User Principal Name (UPN) as that is what the Power BI service will use. Select OK and the reports will render based on what that user can see.
Within Power BI Desktop, this will only display different results if you are using dynamic security based on your DAX expressions.
Manage security on your model
To manage security on your data model, you will want to do the following.
- Select the ellipse (…) for a dataset.
This will take you to the RLS page for you to add members to a role you created in Power BI Desktop. Only the owners of the dataset will see Security available. If the dataset is in a Group, only Administrators of the group will see the security option.
You can only create or modify roles within Power BI Desktop.
Working with members
You can add a member to the role by typing in the email address, or name, of the user, security group or distribution list you want to add. This member has to be within your organization. You cannot add Groups created within Power BI.
You can also see how many members are part of the role by the number in parenthesis next to the role name, or next to Members.
You can remove members by selecting the X next to their name.
Validating the role within the Power BI service
You can validate that the role you defined is working correctly by testing the role.
- Select the ellipsis (...) next to the role.
- Select Test data as role
You will then see reports that are available for this role. Dashboards are not presented in this view. In the blue bar above, you will see what is being applied.
You can test other roles, or combination of roles, by selecting Now viewing as.
You can choose to view data as a specific person, or you can select a combination of available roles to validate they are working.
To return to normal viewing, select Back to Row-Level Security.
Using the username() or userprincipalname() DAX function
You can take advantage of the DAX functions username() or userprincipalname() within your dataset. You can use them within expressions in Power BI Desktop. When you publish your model, it will be used within the Power BI service.
Within Power BI Desktop, username() will return a user in the format of DOMAIN\User and userprincipalname() will return a user in the format of email@example.com.
Within the Power BI service, username() and userprincipalname() will both return the user's User Principal Name (UPN). This looks similar to an email address.
Using RLS with app workspaces in Power BI
If you publish your Power BI Desktop report to an app workspace within the Power BI service, the roles will be applied to read-only members. You will need to indicate that members can only view Power BI content within the app workspace settings.
If you have configured the app workspace so that members have edit permissions, the RLS roles will not be applied to them. Users will be able to see all of the data.
Here is a list of the current limitations for row-level security on cloud models.
- If you previously had roles/rules defined within the Power BI service, you will need to recreate them within Power BI Desktop.
- You can define RLS only on the datasets created using Power BI Desktop client. If you want to enable RLS for datasets created with Excel, you will need to convert your files into PBIX files first. Learn more
- Only ETL, and DirectQuery connections are supported. Live connections to Analysis Services are handled in the on-premises model.
- Q&A and Cortana is not supported with RLS at this time. You will not see the Q&A input box for dashboards if all models have RLS configured. This is on the roadmap, but a timeline is not available.
- External sharing is not currently supported with datasets that use RLS.
- For any given model, the maximum number of Azure AD principals (i.e. individual users or security groups) that can be assigned to security roles is 1,000. To assign large numbers of users to roles, be sure to assign security groups, rather than individual users.
There is a known issue where you will receive an error message when trying to publish from Power BI Desktop if it was previously published. The scenario is as follows.
- Anna has a dataset that is publised to the Power BI service and has configured RLS.
- Anna updates the report in Power BI Desktop and re-publishes.
- Anna will receive an error.
Workaround: Re-publish the Power BI Desktop file from the Power BI service until this issue is resolved. You can do that by select Get Data > Files.
Question: What if I had previously created roles/rules for a dataset in the Power BI service? Will they still work if I do nothing?
Answer: No. Visuals will not render properly. You will have to re-create the roles/rules within Power BI Desktop and then published to the Power BI service.
Question: Can I creates these roles for Analysis Services data sources?
Answer: You can if you imported the data into Power BI Desktop. If you are using a live connection, you will not be able to configure RLS within the Power BI service. This is defined within the Analysis Services model on-premises.
Question: Can I use RLS to limit the columns or measures accessible by my users?
Answer: No. If a user has access to a particular row of data, they can see all the columns of data for that row.
Question: Does RLS allow me to hide detailed data but give access to data summarized in visuals?
Answer: No, you secure individual rows of data but users can always see either the details or summarized data.
More questions? Try asking the Power BI Community