This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections:
Manage and secure Power BI (15–20%)
   --> Secure and govern Power BI items
      --> Implement row-level security roles

Below are 10 practice questions (with answers and explanations) for this topic of the exam.
There are also 2 practice tests for the PL-300 exam with 60 questions each (with answers) available on the hub.

---

Practice Questions

---

Question 1

Where are Row-Level Security roles and filters created?

A. In the Power BI Service
B. In Power BI Desktop
C. In Microsoft Entra ID
D. In Power BI Apps

Correct Answer: B

Explanation:
RLS roles and DAX filters are created in Power BI Desktop. Users and groups are assigned to those roles later in the Power BI Service.

---

Question 2

Which DAX function is most commonly used to implement dynamic RLS?

A. USERELATIONSHIP()
B. USERNAME()
C. USERPRINCIPALNAME()
D. SELECTEDVALUE()

Correct Answer: C

Explanation:
USERPRINCIPALNAME() returns the logged-in user’s email/UPN and is the most commonly used function for dynamic RLS scenarios.

---

Question 3

A single semantic model must filter sales data so that users only see rows matching their email address. What is the best approach?

A. Create one role per user
B. Create static RLS roles by region
C. Use dynamic RLS with a user-mapping table
D. Use Object-Level Security

Correct Answer: C

Explanation:
Dynamic RLS with a user-to-dimension mapping table scales efficiently and avoids creating many static roles.

---

Question 4

What happens if a user belongs to multiple RLS roles?

A. Access is denied
B. Only the most restrictive role is applied
C. The union of all role filters is applied
D. The first role alphabetically is applied

Correct Answer: C

Explanation:
Power BI applies the union of RLS role filters, meaning users see data allowed by any role they belong to.

---

Question 5

Which statement about Row-Level Security behavior is correct?

A. RLS is applied at the report level
B. RLS applies only to dashboards
C. RLS is enforced at the semantic model level
D. RLS must be reconfigured for each report

Correct Answer: C

Explanation:
RLS is enforced at the semantic model level and automatically applies to all reports and apps using that model.

---

Question 6

You test RLS using View as role in Power BI Desktop. What does this feature do?

A. Permanently applies RLS to the model
B. Bypasses RLS for the model author
C. Simulates how the report appears for a role
D. Assigns users to roles automatically

Correct Answer: C

Explanation:
View as allows you to simulate role behavior to validate RLS logic before publishing.

---

Question 7

Which type of RLS is least scalable in enterprise environments?

A. Dynamic RLS
B. RLS using USERPRINCIPALNAME()
C. Static RLS with hard-coded values
D. Group-based RLS

Correct Answer: C

Explanation:
Static RLS requires separate roles for each data segment, making it difficult to maintain at scale.

---

Question 8

A user accesses a report through a Power BI App. How does RLS behave?

A. RLS is ignored
B. RLS must be redefined in the app
C. RLS is enforced automatically
D. Only static RLS is enforced

Correct Answer: C

Explanation:
RLS is always enforced at the semantic model level, including when content is accessed through apps.

---

Question 9

Which security feature should be used if you need to hide entire columns or tables from certain users?

A. Row-Level Security
B. Workspace roles
C. Object-Level Security
D. Build permission

Correct Answer: C

Explanation:
RLS controls rows only. Object-Level Security (OLS) is used to hide tables or columns.

---

Question 10

Which best practice is recommended when assigning users to RLS roles?

A. Assign individual users directly
B. Assign workspace Admins only
C. Assign Microsoft Entra ID security groups
D. Assign report-level permissions

Correct Answer: C

Explanation:
Using security groups improves scalability, governance, and ease of maintenance.

---

Final PL-300 Exam Reminders

• RLS controls data visibility, not report access
• Dynamic RLS is heavily tested
• RLS applies everywhere the semantic model is used
• Users see the union of multiple roles
• RLS is defined in Desktop, enforced in the Service

---

Go back to the PL-300 Exam Prep Hub main page