top of page
Antares Studio Games Icon_Small.png

The Antares Alien

Power BI   |  Game Development

  • Writer's pictureBrent Jones

How to use Power BI Role Level Security

Updated: Sep 30, 2020

Alien Fanfare

RLS is a security feature in Power BI that allows you to limit the data shown to users based on their role in your organization. It may sound complicated to set up, but it's really quite simple... Just three steps!

Note: Power BI Pro is required to use RLS features. See more details at for Pro licenses.

There are essentially three steps:

  1. Set up a table for your roles.

  2. Define the rules.

  3. Add the users to the Power BI service.

Step 1: Set up your Roles Table

At a bare minimum, you need to have a table with an employee identifier (ID or name), their email (company email), and any other field you want to filter on (division, department, etc.). We'll call this the RLS table. You need to use one of these columns to link to the other tables you have. For example, if you have a sales table with a column for division, you would link this column with the division column in your RLS table.

Sample Tables

Import the RLS table into Power BI. A relationship should automatically be created between the two columns, but it never hurts to check...

Power BI Relationship

Step 2: Define the RLS Rules

The next step is to enter a very simple DAX formula in the RLS window back in Power BI. Navigate to the Modeling tab, then click "Manage Roles".

Manage Roles

Click on "Create" to begin. Give the role a meaningful name as you will need to refer to it in the next step. I'll call this one "Division RLS". Click on your RLS table and enter this formula in the Dax expression box:

[Email] = Username()

Create RLS

*[Email] is the name of our column. If you choose a different column name like, "Employee_Email", you would enter [Employee_Email] instead.


Alien Tip: You can test out your RLS at this stage by clicking on "View Role As". A window will appear with several options. Check the box with the role you created as well as "Other user" option. In the "Other user" section, enter in the email of any employee to test out what they will see.

View As Roles

Step 3: Add Users on the Power BI Service

Next, you need to save and publish your report to the service. After doing so, open your report on

We're now going to add users to this RLS group. Under Datasets, navigate to your dataset and click the ellipses for more options and click "Security".

RLS Dataset

Locate your role that you created in the previous step (it'll be whatever you named it). Here, you can type in each individual's email address. Or, if you have groups set up in your organization, you can simply add the group's email address and the RLS will use that to get to the individual's email address automatically.

Add User

Click "Add" and you're done! Now all you need to do is present your report to the company and enjoy the BI hero status!

Other Details About RLS

What does the DAX expression Username() do? It actually returns different results depending on whether the report is view on the desktop or on the service. On the desktop, it simply returns the users domain and user name like this:

Desktop Username()

On the service (

Service Username()

A More Complicated Situation...

Let's say you have several teams. Each team has a leader, and you want the leader to see their direct member's data, but not the other team's data. We can accomplish this by setting up a team hierarchy table. In the following table, I have a total of 6 employees split into two teams; Team A and Team B. Each has a leader:

Team RLS

I have 3 fields / columns set up in the above table.

  • Employee - this is the employee name. I'll use this to create a relationship to the sales table (though, you would normally use an ID here).

  • Reports To - this contains the email address of the employee that the current (row level) employee reports to, i.e. the team leader.

  • Level 1 Email - this is the current employee's (row level) own email address.

I created a new sales table which includes a column for the employee name which I'll use to link the Team RLS table to.

Team Sales Table

Back in Power BI, I created the relationship for these new tables...

Now to set up the RLS expression in the "Manage Roles" window. We are going to use Username() again, but with a couple more things.

[Reports To] = Username() || [Level 1 Email] = Username()


So, what's happening here? In the above DAX expression, we are using a logical OR operator (represented by the | |'s). It performs two checks at most.

  1. First it checks if the current user is equal to any of the values in the [Reports To] field. The [Reports To] field only includes team leader email addresses. So, if the user happens to be Team Leader A, the table will filter to show all records that have in the [Reports To] field.

  2. If the current user is not equal to any values in the [Reports To] field, it then checks if the current user is equal to any values within the [Level 1 Email] column. If it gets to this step, the current user must be a team member (i.e. not a leader) and the table will filter to a single row correspondingly.


Testing out our new RLS with Team Leader B, we can see that it's working as expected. Team Leader B can see all members of Team B, and no members of Team A.

Team Leader B

Do you have any other experiences using RLS? Let me know in the comments!


If you want to improve your DAX skills and be even more of a BI hero, I highly recommend checking out "Supercharge Power BI" by Matt Allington.

  • Facebook
  • Twitter
  • Instagram
bottom of page