To implement Row-Level Security (RLS) while allowing for self-service reporting, you will need a centralized dataset defined with RLS rules and published to a workspace as a shared or certified dataset. Such a setup allows business users to connect to the dataset and create reports without seeing the underlying data they are not allowed to see. RLS is enforced at the dataset layer, meaning that reports connected to the dataset built either by the users or by developers will honor all security rules defined.
Define RLS roles by means of DAX filters in Power BI Desktop and bind those roles to the users' identities using the username() or user principal name () functions. Manage access to the dataset through Azure Active Directory groups or Microsoft 365 security groups; this will allow scalable and secure management of roles. Once the dataset is published, don't give users any Admin or Member access—only Build permission—so they should be able to create reports but not edit the dataset or RLS settings.
To ensure a smooth self-service experience, complement the dataset with comprehensive documentation, field descriptions, and measures. Alternatively, perspectives or thin reports can be offered as a steer. In this way, the tenant gains maximum leverage while assuring strict control over what data can be viewed.
