Row Level Security
Control row-level access to Power BI content
Last updated
Control row-level access to Power BI content
Last updated
Row Level Security (RLS) allows you to limit the viewable information within a Power BI Report at the row-of-data level for specific user roles. For example, if your company has an Eastern and Western division, you may wish to restrict access so that Eastern users only see Eastern Data, and Western users see Western Data.
You’ll be able to assign Roles based on those you’ve created within Power BI. To learn how to create Roles in Power BI, see this Microsoft tutorial:
Once you've created your Roles in Power BI, you can assign them to Groups/Users of your Reporting Hub tenant(s). To do so:
Follow the standard Embedding Power BI Content process.
When assigning access permission, the Reporting Hub will detect if your report has Row Level Security enabled within Power BI. Under the Groups/Users Selected header, you will be asked to assign a Role for each Group/User.
Click the eye icon to preview how your Power BI report will look according to the Role you’ve assigned.
Click Save
Note: If Role Level Security has been enabled for your Report within Power BI, you must assign Roles to your Groups/Users in order to Save.
Note: Make sure you don't have special characters in the name of RLS roles. That can cause issues while configuring the report and applying the roles to user groups.
Good to know: The Reporting Hub supports both standard RLS and dynamic RLS for more complex scenarios.
If you utilize a DAX identity function, like USERPRINCIPALNAME() or USERNAME(), you need to add a security role to your Power BI model. This will allow the Reporting Hub to pass along the correct user identity in the embedded report. If you don't need to filter any tables, create an empty security role in your Power BI model.
The Reporting Hub will pass along your users' identity attribute as the property that the DAX identity function will display. For Entra ID-based authentication methods, this is what's called the User Principal Name in Entra ID; for internal users, this is usually an email address. For Auth0, this is the user id object by default, but you can configure your authentication scheme to return another field by using the Custom ID field option. You can always check what a DAX identity function returns for you by uploading a report that contains a measure like username = USERNAME().
If your report is in a different workspace than its underlying semantic model and that model has RLS roles defined on it, you must ensure both workspaces are added to your Reporting Hub tenant. Learn how to connect additional Power BI Workspaces with your Reporting Hub.
