Implementing Row-Level Security (RLS) in Power BI Template Apps 

Implementing Row-Level Security (RLS) in Power BI Template Apps 

In this blog, we’ll explore how to configure and deploy Row-Level Security (RLS) in Power BI Template Apps. From defining roles to packaging and validating the final app. 

Why RLS Matters in Template Apps: 

When you publish a Template App on Microsoft AppSource, it’s designed for reusability and scalability. The same dataset and reports are deployed across multiple customer environments. Without RLS, every user would see the same data led to posing serious privacy and compliance risks. 

With RLS, you can restrict data visibility so that: 

• A department head sees only their business unit’s data. 

• A regional manager views insights for their assigned geography. 

Implementation: 

Step 1: Define Roles in Power BI Desktop 

There are two main RLS approaches: 

1. Static RLS – Roles are manually assigned to users (e.g., “Manager,” “Finance”). 

2. Dynamic RLS – Filters are applied dynamically through a lookup table that maps users to allowed data. (Recommended for Template Apps) 

To define roles: 

1. Open your Power BI Desktop file. 

2. Go to Model View → Manage Roles → Create Role. 

3. Define filters using DAX. 

Fig1. It represents 2 Roles Defined in the PBI Desktop 

Step 2: Validate RLS in Power BI Services 

Once your report is ready: 

• Validate RLS locally in Power BI Desktop. 

• Publish the report to your workspace and test the roles again in the Power BI Service. 

Step 3: Package RLS in the Template App 

When publishing your Template App: 

1. Include the dataset and reports that contain your RLS logic. 

2. Follow the standard steps for publishing Template Apps on AppSource. 

3. Validate the app in a test tenant before going live. 

RLS definitions are embedded in your dataset, so customers automatically inherit the same security model after installation. 

Step 4: Customer Configuration After Installation 

When a customer installs the Template App, they become the admin of that workspace. RLS doesn’t apply to admins, but they can manage user access: 

1. Connect the dataset to their data source (e.g., SQL Server, Microsoft Fabric, or Business Central). 

2. The predefined RLS filters remain active after connection. 

3. Go to Edit App Settings → Workspace → Semantic Model → Security. 

4. Review the predefined RLS roles and assign users to the appropriate roles. 

5. For dynamic RLS, the lookup table automatically updates with client data, enforcing RLS accordingly. 

Fig2. The defined roles are being propagated via semantic model and now available in client workspace. 

6. Once users are assigned, share the reports accordingly. 

By correctly managing RLS roles post-installation, customers can ensure each user only accesses authorized data, maintaining data security, integrity, and compliance across all environments.