Dislaimer: This blog does not contain any personally identifiable information (PII). Any data referenced is generic and used solely for illustrative purposes.

You have built a Power BI semantic model and created a report on top of it. To ensure users see only relevant data, you implemented Row Level Security using a user table that maps email IDs to respective countries.

You mapped this table in such a way that it will filter the whole model and show the relevant countries data to the end users. As per the above table

• Aditya should see data from India, Japan, and the United States.
• Chris should see data from the United States and Great Britain.

After the modelling the data model looks like below

You created a RLS role, and your logic is as follows

After modelling the relationships correctly, you tested the RLS in Power BI Desktop using the “View as” option. Everything worked as expected.

You then published the report to Power BI Service, assigned users to the respective security roles,

and shared the report.

Aditya, who is well-versed in Power BI, tested the report and confirmed that the security filters were working correctly.

He then set up a personal subscription to receive periodic updates.

When he received the email, the data was still filtered correctly according to his RLS settings.

However, Chris is a business user with limited Power BI knowledge, he requested an automated report. As a report developer, you created a “Standard Subscription” and added his email to the recipients list.

When Chris received the email and opened the email, he was shocked! Instead of seeing only United States and Great Britain, he could see all countries data.

This is a serious security concern, as the expectation was that RLS would be enforced in the subscription, just like it is within the report. But Power BI report subscriptions are not respecting the RLS on the semantic model.

Isn’t it?

In my opinion, it is respecting the Row level security; otherwise, when Aditya created a subscription on his own, he would have received the data of all the countries, not just the data of India, Japan, and United States.

The problem is subscriptions will consider the security filters of the person who created the subscription rather than the recipient. I believe that is how they are designed.

It would be great if Microsoft provided a warning when someone adds a recipient on the report subscription creation page, especially for reports with RLS implemented.

A simple, low-code approach to handle this scenario is to use Dynamic Report subscriptions instead of standard subscriptions.

Add a duplicate of the user email column in your user’s table.

Points to Remember

1. Dynamic Subscriptions work only in Premium or Fabric capacity-backed Workspaces.

2. To implement a similar approach for static row-level security (RLS) implementation, create one subscription for each RLS role and configure the security filters accordingly. The recipient’s email address should also be added manually.

3. I created a duplicate of the email address column in the users table before configuring the dynamic subscriptions because a column cannot be filtered by itself.

Conclusion

Power BI Dynamic Subscriptions provide a robust way to ensure report security while automating data distribution.

Have you ever faced this challenge? How did you tackle it? Have you used Dynamic Subscriptions before?

I would like to hear from you

Thank you for reading!