Configuring Row-level security (RLS) in Power BI

Row-level security (RLS) is a Power BI feature where restrictions to data are created for certain users. In other words, it defines roles that protect databases from unauthorized access to personal data.

When configuring Row-level security (RLS) it is important to note that roles are filtering data out of your data model. RLS is not the same as prefiltered or default views. Filters are used to restrict access at the row level. Filters can be used within roles. Additionally, RLS should also not be confused with bookmarks.

In this blog, you will learn how to configure Row-level security for users through Power BI desktop and in the Power BI Service environment.

Firstly, we will look at a quick demonstration of RLS, secondly, we will go into a bit more detail about what it has done. And finally, we will briefly go over the impacts of RLS on some of the Power BI features.

Demonstration and Steps for configuring of Row-level security in Power BI Desktop and Power BI Service:

1. Desktop

Row-level Security (RLS) Desktop

In the Desktop demonstration, we see that the report initially shows data for all countries.

We start by setting up the RLS for the European Accessories Manager:

Steps to configure RLS in Desktop:

1.1. Navigate to the Modeling tab, then click on Manage Roles.

RLS Modelling Desktop

1.2. From the Manage roles window, select Create.

create RLS from manage roles

1.3. The name created for this role is, “European Accessories Manager”.

1.4. Select the table from which you want to create the rule. In this instance, we choose the AW_Territories_Lookup table.

Table used for DAX expression

1.5. Then we create a DAX rule from the AW_Territories_Lookup table. This rule returns a true or false result. Here we want the expression to return true when the continent is Europe.

DAX Expression True or false RLS

1.6. From the Table filter DAX expression  box, the DAX expression that will return true or false is entered as:

[Contintent] = “Europe”

1.7. To validate the DAX expression just created, press the checkmark.

Chack mark to validate DAX expression RLS

1.8. Then press save, once you’ve configured the DAX expression.

Now you have restricted the continent from the AW_Territories_Lookup table to Europe through the use of a DAX expression. This means that the user assigned to this RLS should only see Europe when logging in. You can take this even further by restricting each city within Europe and assigning individual respondents accordingly.

2. Validate Role in Power BI Desktop

Steps to validate roles created in Power BI Desktop:

2.1. Select View as Roles from the Modelling tab.

View as from modelling tab

2.2. Then select the Role that you have created.view as role that you created. RLS, Validation

2.3. You can also select another user to view the role that was created.

Other user to validate RLS

2.4. Then select OK

3. Power BI Service (Security on your model)

After setting up and testing the RLS in the desktop environment. You can go ahead and save and publish to Power BI Service. The roles that you define in Power BI Desktop will be included when you publish to Power BI service.

Row-level Security (RLS) Cloud

Steps to manage security in Power BI Service (Cloud):

3.1. Navigate to the dataset that you want to set security for.

finding dataset where roles are defined RLS Power BI

3.2. Navigating to the ellipsis, then click on security.

navigate to elipsis then select security for RLS for roles defined Power BI service

3.3. Then you can assign an e-mail address to the role that you defined in the Desktop environment. In this case, the previous role was the European Accessories manager.

security in Power BI, RLS Power BI Service

Note that security available will only be visible to the Owners of the dataset. Similarly, only Administrators of the group will see security in cases where the dataset is in a group. New roles can only be created and modified in Power BI Desktop.

4. Validate Roles Power BI Service 

4.1. Similar to the Dekstop environment. You will start by navigating to Role-Level security, then clicking the ellipsis next to the role that was defined. Then you can press, test as role.

test as role in Power BI service

Now viewing as. Testing role in Power BI Service. RLS

RLS impacts on some features of Power BI:

You won’t be able to subscribe to e-mails if RLS is configured for any of your underlying datasets. You will also find that the Quick insights option is grayed out.

This concludes this blog on configuring Row-level Security in Power BI. For other interesting reads, please visit our other blogs.