πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided PL-300 Domain 4
Domain 4 β€” Module 4 of 5 80%
25 of 26 overall

PL-300 Study Guide

Domain 1: Prepare the Data

  • Connecting to Data Sources Free
  • Storage Modes: Import, DirectQuery & DirectLake Free
  • Data Profiling & Quality Free
  • Power Query Transforms Free
  • Combining Data: Merge, Append & Queries
  • Fact Tables, Dimension Tables & Keys
  • Data Loading & Query Optimisation

Domain 2: Model the Data

  • Star Schema & Relationships
  • Date Tables & Table Properties
  • Columns vs Measures: When to Use Which
  • DAX Fundamentals Free
  • CALCULATE & Filter Context
  • Time Intelligence & Calculation Groups
  • Model Performance Optimisation

Domain 3: Visualize and Analyze the Data

  • Choosing & Formatting Visuals
  • Slicers, Filters & Interactions
  • Bookmarks, Tooltips & Navigation
  • Copilot in Power BI Reports
  • Report Pages & Paginated Reports
  • Mobile, Accessibility & Personalisation
  • AI Visuals & Pattern Discovery

Domain 4: Manage and Secure Power BI

  • Workspaces & Distribution
  • Dashboards, Alerts & Subscriptions
  • Gateways & Scheduled Refresh
  • Row-Level Security & Access Control
  • Sensitivity Labels & Governance

PL-300 Study Guide

Domain 1: Prepare the Data

  • Connecting to Data Sources Free
  • Storage Modes: Import, DirectQuery & DirectLake Free
  • Data Profiling & Quality Free
  • Power Query Transforms Free
  • Combining Data: Merge, Append & Queries
  • Fact Tables, Dimension Tables & Keys
  • Data Loading & Query Optimisation

Domain 2: Model the Data

  • Star Schema & Relationships
  • Date Tables & Table Properties
  • Columns vs Measures: When to Use Which
  • DAX Fundamentals Free
  • CALCULATE & Filter Context
  • Time Intelligence & Calculation Groups
  • Model Performance Optimisation

Domain 3: Visualize and Analyze the Data

  • Choosing & Formatting Visuals
  • Slicers, Filters & Interactions
  • Bookmarks, Tooltips & Navigation
  • Copilot in Power BI Reports
  • Report Pages & Paginated Reports
  • Mobile, Accessibility & Personalisation
  • AI Visuals & Pattern Discovery

Domain 4: Manage and Secure Power BI

  • Workspaces & Distribution
  • Dashboards, Alerts & Subscriptions
  • Gateways & Scheduled Refresh
  • Row-Level Security & Access Control
  • Sensitivity Labels & Governance
Domain 4: Manage and Secure Power BI Premium ⏱ ~13 min read

Row-Level Security & Access Control

Implement row-level security (RLS) to control who sees which data, assign workspace roles, configure item-level and semantic model access, and manage RLS group membership.

Controlling who sees what

β˜• Simple explanation

Think of a hotel with different room keys. Everyone can enter the lobby (the report). But only North Region managers can open the North Region data room, and only South Region managers can open theirs. Same building, different access.

Row-Level Security (RLS) filters data rows based on who’s viewing the report. A regional manager sees only their region’s data. A department head sees only their department. The report is the same β€” but the data is different for each viewer.

Row-Level Security (RLS) restricts data access at the row level using DAX filter expressions. Roles are defined in Power BI Desktop and membership is assigned in the Power BI service. RLS works with Import, DirectQuery, and composite models.

Beyond RLS, Power BI has a layered access control model: workspace roles control who can edit/view workspace content, item-level access controls individual report/dataset permissions, and semantic model access controls who can build reports on a shared dataset.

Workspace roles

RoleCan ViewCan Edit/PublishCan ShareCan Manage
Viewerβœ“βœ—βœ—βœ—
Contributorβœ“βœ“βœ—βœ—
Memberβœ“βœ“βœ“βœ—
Adminβœ“βœ“βœ“βœ“ (add/remove users, delete workspace)

Riley at Coastal Fresh (πŸ›’) assigns roles:

  • Admin: Herself and the BI team lead
  • Member: Department heads (can share reports with their teams)
  • Contributor: Data analysts who build new reports
  • Viewer: Store managers and regional managers who consume dashboards (RLS applies to Viewers)

Important: RLS only restricts users with the Viewer role. Admin, Member, and Contributor bypass RLS entirely. If you need RLS to apply to someone, they must be a Viewer β€” or consume content through an app.

Item-level and semantic model access

Item-level access grants permissions on individual reports or dashboards without giving workspace access:

  • Share a single report with a specific person
  • They see the report but not other workspace content

Semantic model access (Build permission) allows others to create new reports using your published dataset:

  • Build permission β†’ user can create their own reports on top of your model
  • Without Build permission β†’ user can view reports but can’t build new ones

Dr. Ethan at Bayview Medical (πŸ₯) grants Build permission on the patient dataset to the quality team β€” they can build their own reports without accessing the clinical dashboard workspace.

Row-Level Security (RLS)

Step 1: Define roles in Power BI Desktop

Modeling β†’ Manage roles β†’ New role

Each role has a name and one or more DAX filter expressions on tables.

Example: Riley creates a role for each region:

North Region role:

[Region] = "North"

South Region role:

[Region] = "South"

Dynamic RLS uses the user’s identity instead of hardcoding values:

[ManagerEmail] = USERPRINCIPALNAME()

This filters the data to rows where the ManagerEmail column matches the logged-in user’s email. One role, works for everyone.

Step 2: Test roles in Desktop

Modeling β†’ View as β†’ select a role to preview what that user sees. Always test before publishing.

Step 3: Assign membership in the Power BI service

After publishing, go to the semantic model β†’ Security β†’ select the role β†’ add users or security groups.

Kenji at Apex Manufacturing (🏭) uses dynamic RLS: each factory manager’s email is in the FactoryManager column. He creates one role with [FactoryManager] = USERPRINCIPALNAME() and adds all managers to that role. Each manager sees only their factory’s data.

πŸ’‘ Exam tip: static vs dynamic RLS

Static RLS: Hardcoded filter values per role. Requires separate roles for each group.

Role: "North" β†’ [Region] = "North"
Role: "South" β†’ [Region] = "South"

Dynamic RLS: Uses USERPRINCIPALNAME() or USERNAME() to filter based on the logged-in user. One role handles everyone.

Role: "RegionManager" β†’ [ManagerEmail] = USERPRINCIPALNAME()

The exam strongly tests dynamic RLS. Look for scenarios with a mapping table that connects user emails to data access permissions.

RLS with security groups

Instead of adding individual users to RLS roles, use Azure AD (Entra) security groups:

  1. Create a security group: SG-PowerBI-NorthRegion
  2. Add North region managers to the group
  3. Assign the group to the β€œNorth Region” RLS role

This scales much better β€” when a new manager joins, add them to the group instead of modifying Power BI settings.

Security groups are the production standard for RLS membership
FeatureIndividual UsersSecurity Groups
ManagementAdd/remove each person manuallyManage membership in Entra β€” automatic in Power BI
ScaleDifficult at 50+ usersHandles thousands easily
Best practiceDevelopment/testing onlyAlways use for production

Knowledge check

Question

Where do you define RLS roles vs where do you assign membership?

Click or press Enter to reveal answer

Answer

Define roles with DAX expressions in Power BI Desktop (Modeling β†’ Manage roles). Assign membership (add users/groups) in the Power BI service after publishing (Dataset β†’ Security).

Click to flip back
Question

What DAX function makes RLS dynamic?

Click or press Enter to reveal answer

Answer

USERPRINCIPALNAME() β€” returns the logged-in user's email address. Use it in RLS filter expressions to dynamically match the user to their data: [Email] = USERPRINCIPALNAME()

Click to flip back
Question

What workspace role should report consumers have?

Click or press Enter to reveal answer

Answer

Viewer β€” they can view content but can't edit, publish, or share. Use Contributor for report authors and Member for those who also need to share.

Click to flip back
Knowledge Check

Kenji has 12 factory managers, each managing one factory. He wants each manager to see only their factory's data. What's the most scalable approach?
Knowledge Check

Dr. Ethan wants to grant the quality team the ability to create their own reports using the patient dataset β€” but not access the clinical dashboard workspace. What should he configure?

🎬 Video coming soon

Next up: Sensitivity Labels and Governance β€” protect your data with Microsoft Purview integration.

← Previous

Gateways & Scheduled Refresh

Next β†’

Sensitivity Labels & Governance

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.