Row-level security (RLS) and object-level security (OLS) are the foundational mechanisms that determine which data a user can see and which model objects they can access inside a BI platform. Implemented incorrectly, these controls leak sensitive data, degrade performance, or silently allow bypasses through workspace roles and bidirectional filter propagation. This cheat sheet covers the full security stack across Power BI, Tableau, Looker, and Qlik β from basic DAX filter expressions and dynamic identity lookups to entitlement tables, section access, audit logging, and Microsoft Fabric's cross-engine enforcement model.
What This Cheat Sheet Covers
This topic spans 12 focused tables and 74 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: RLS Fundamentals and Types
Static and dynamic RLS differ in where the user identity is encoded β directly in the DAX filter expression versus resolved at query time from a mapping table. Understanding this distinction, plus how filters propagate across relationships, is the prerequisite for every platform-specific implementation that follows.
| Type | Example | Description |
|---|---|---|
[] = "East" | β’ DAX filter hardcoded in a role definition β’ all members of the role see the same fixed slice of data | |
[Email] = USERPRINCIPALNAME() | β’ Filter expression uses an identity function resolved at query time β’ each user automatically sees only their own rows | |
Sales[CustomerID] = Security[CustomerID]AND Security[Email] = USERPRINCIPALNAME() | RLS filter on one table cascades across relationships to related tables following the cross-filter direction. |