- A
Q&A features to restrict natural language queries.
Why wrong: Q&A is not a security feature.
- B
Row-level security (RLS) with DAX filter expressions.
RLS filters rows based on user identity.
- C
Object-level security (OLS) to hide tables.
Why wrong: OLS hides objects, not filters rows.
- D
Data lineage view to control access.
Why wrong: Data lineage is for impact analysis.
Quick Answer
The correct answer is row-level security (RLS) with DAX filter expressions. RLS is the appropriate solution because in a DirectQuery model, it pushes DAX filter logic down to the source database, dynamically restricting data at query time based on the authenticated user’s identity—ensuring each department sees only its own rows without requiring separate reports or duplicated datasets. On the PL-300 exam, this scenario tests your understanding of how RLS behaves differently in DirectQuery versus Import mode; a common trap is assuming you must create multiple role-based copies of the report or use report-level filters, which would be inefficient and insecure. Remember that RLS in DirectQuery translates your DAX filters into native SQL queries, so the filtering happens server-side before results reach Power BI. A useful memory tip: think of RLS as a “gatekeeper at the database door”—it checks the user’s credentials and only lets through the rows they are allowed to see, making it the only scalable method for department-level security in DirectQuery.
PL-300 Manage and secure Power BI Practice Question
This PL-300 practice question tests your understanding of manage and secure power bi. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
You have a Power BI report that uses a DirectQuery dataset. You need to ensure that users see only the data relevant to their department. What should you implement?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Row-level security (RLS) with DAX filter expressions.
Row-level security (RLS) is the correct approach because it filters data at the query level based on the user's identity. In a DirectQuery model, RLS translates DAX filter expressions into source queries, ensuring that each user only sees rows relevant to their department without duplicating reports or datasets.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Q&A features to restrict natural language queries.
Why it's wrong here
Q&A is not a security feature.
- ✓
Row-level security (RLS) with DAX filter expressions.
Why this is correct
RLS filters rows based on user identity.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Object-level security (OLS) to hide tables.
Why it's wrong here
OLS hides objects, not filters rows.
- ✗
Data lineage view to control access.
Why it's wrong here
Data lineage is for impact analysis.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates confuse row-level security (RLS) with object-level security (OLS), thinking OLS can filter rows when it only hides entire objects like tables or columns.
Detailed technical explanation
How to think about this question
Under the hood, RLS in DirectQuery works by appending a WHERE clause to every query sent to the source, using the USERNAME() or USERPRINCIPALNAME() DAX function to dynamically filter rows. A subtle behavior is that RLS roles must be tested with the 'View as Roles' feature in Power BI Desktop, and if the source is a SQL Server, the filter is pushed down as a native query predicate, preserving performance. In a real-world scenario, a sales manager might see only their region's data, while the VP sees all regions, all enforced by the same RLS role with different DAX filters.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Manage and secure Power BI — study guide chapter
Learn the concepts, then practise the questions
- →
Manage and secure Power BI practice questions
Targeted practice on this topic area only
- →
All PL-300 questions
966 questions across all exam domains
- →
Microsoft Power BI Data Analyst PL-300 study guide
Full concept coverage aligned to exam objectives
- →
PL-300 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related PL-300 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Prepare the data practice questions
Practise PL-300 questions linked to Prepare the data.
Deploy and maintain assets practice questions
Practise PL-300 questions linked to Deploy and maintain assets.
Model the data practice questions
Practise PL-300 questions linked to Model the data.
Visualize and analyze the data practice questions
Practise PL-300 questions linked to Visualize and analyze the data.
Manage and secure Power BI practice questions
Practise PL-300 questions linked to Manage and secure Power BI.
PL-300 fundamentals practice questions
Practise PL-300 questions linked to PL-300 fundamentals.
PL-300 scenario practice questions
Practise PL-300 questions linked to PL-300 scenario.
PL-300 troubleshooting practice questions
Practise PL-300 questions linked to PL-300 troubleshooting.
Practice this exam
Start a free PL-300 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this PL-300 question test?
Manage and secure Power BI — This question tests Manage and secure Power BI — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Row-level security (RLS) with DAX filter expressions. — Row-level security (RLS) is the correct approach because it filters data at the query level based on the user's identity. In a DirectQuery model, RLS translates DAX filter expressions into source queries, ensuring that each user only sees rows relevant to their department without duplicating reports or datasets.
What should I do if I get this PL-300 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
7 more ways this is tested on PL-300
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. Refer to the exhibit. You have a Power BI dataset with the JSON policy shown. You add a user to the USOnly role. What happens when that user views a report based on this dataset?
easy- A.The user sees all rows in the Sales table.
- ✓ B.The user sees only rows where Region is 'US' in the Sales table.
- C.The user sees all rows but the SalesAmount column is hidden.
- D.The user sees all rows in all tables of the dataset.
Why B: Option B is correct because row-level security (RLS) restricts data: only rows where Region is 'US' are visible. Option A is wrong because RLS does not hide the entire table. Option C is wrong because RLS does not affect columns. Option D is wrong because RLS does not affect other tables unless defined.
Variation 2. Refer to the exhibit. You are setting up row-level security (RLS) for a Power BI dataset. The JSON snippet shows the role definition. A user reports that they see no data when they view the report. What is the most likely cause?
medium- A.The filter syntax is incorrect; it should use CALCULATE.
- B.The role name 'RegionManager' is reserved.
- C.The 'SalesPerson' column should be used in the filter.
- ✓ D.The LOOKUPVALUE function requires a relationship between tables.
Why D: Option D is correct because the LOOKUPVALUE function is used without a relationship between the Sales and EmployeeRegion tables. LOOKUPVALUE does not create a relationship; it performs a lookup based on the current row context, which may not work correctly. In RLS, you typically use a filter that references a related table via a relationship. Option A is wrong because the role name can be any string. Option B is wrong because the syntax is valid. Option C is wrong because the column definitions are fine.
Variation 3. Which THREE of the following are valid methods to secure a Power BI dataset at the row level?
medium- ✓ A.Row-level security using the USERPRINCIPALNAME() DAX function.
- B.Azure role-based access control (Azure RBAC) on the data source.
- ✓ C.Static row-level security (RLS) using roles defined in Power BI Desktop.
- D.Object-level security (OLS) to restrict access to specific columns.
- ✓ E.Dynamic row-level security using the USERNAME() DAX function.
Why A: Options A, C, and E are correct. Static RLS uses roles defined in Power BI Desktop. Dynamic RLS uses USERNAME() or USERPRINCIPALNAME() to filter data based on the logged-in user. Object-level security (OLS) is for table/column security, not row-level. Option D is wrong because Azure RBAC is for managing access to Azure resources, not for Power BI row-level security.
Variation 4. You have a Power BI report that uses a dataset with row-level security (RLS) roles. You need to verify that a specific user sees only the data they are supposed to see. What is the most efficient way to test this?
medium- A.Run a DAX query in DAX Studio as the user.
- ✓ B.Use the 'View as' feature in the Power BI service or Desktop.
- C.Check the dataset settings in the workspace.
- D.Share the report with the user and ask them to verify.
Why B: Option B is correct because 'View as' allows you to impersonate a user and see exactly what they see. Option A is incorrect because manually checking the dataset is not efficient. Option C is incorrect because you cannot verify in the dataset settings. Option D is incorrect because checking the report after sharing is less efficient.
Variation 5. You have a Power BI report that uses a dataset with row-level security (RLS) roles defined. Users report that they see no data when viewing the report. Which two checks should you perform first? (Assume all other configurations are correct.)
medium- A.Confirm that the workspace is assigned to a Premium capacity.
- B.Check that the report is published to a Power BI app.
- ✓ C.Verify that the dataset has the RLS roles applied and published.
- ✓ D.Ensure the users are members of the appropriate RLS role.
- E.Verify that the RLS role name matches exactly with the username.
Why C: Option A is correct because RLS roles must be applied to the dataset. Option D is correct because users must be members of the RLS role. Option B is wrong because app permissions are for sharing, not RLS. Option C is wrong because capacity is unrelated. Option E is wrong because the RLS role name is case-insensitive.
Variation 6. Refer to the exhibit. You define an RLS role in Power BI Desktop as shown. You publish the dataset and assign the user 'user@contoso.com' to the role. When the user views a report that uses this dataset, they see no data. What is the most likely cause?
easy- A.The role name is invalid; it must not contain spaces.
- B.RLS is not applied in Power BI service for tables with less than 100 rows.
- C.The user is not assigned to the role correctly.
- ✓ D.The Region values in the data have leading spaces or are not exactly 'North' (e.g., 'North ').
Why D: The filter expression uses a string comparison that might not match due to case sensitivity or leading/trailing spaces. Option A is correct. Option B is wrong because the role name is valid. Option C is wrong because the user is assigned to the role. Option D is wrong because RLS works in the service.
Variation 7. Which TWO of the following are valid ways to enforce row-level security (RLS) on a Power BI dataset? (Choose two.)
medium- A.Use Power BI Report Builder to define RLS on paginated reports.
- B.Create RLS rules directly in the Power BI service under dataset security.
- ✓ C.Define roles and role members in Power BI Desktop using DAX filter expressions.
- D.Assign users to security groups in Microsoft Entra ID and map those groups to RLS roles in the Power BI service.
- ✓ E.Configure RLS in the source database when using DirectQuery with single sign-on (SSO).
Why C: Options A and C are correct. RLS can be defined in Power BI Desktop using static roles, and in DirectQuery with SSO, RLS can be enforced in the source database. Option B is wrong because RLS is not applied via the Power BI service interface for datasets; it's defined in Desktop. Option D is wrong because RLS in Power BI is not based on Microsoft Entra ID groups; it's based on roles defined in the model. Option E is wrong because RLS is not configured in Excel.
Keep practising
More PL-300 practice questions
- You are developing a Power BI report to analyze sales performance. The data model includes a 'Sales' fact table with a '…
- A company has a Power BI dataset that includes a table 'Orders' with columns: OrderID, CustomerID, OrderDate, ShipDate,…
- A company has a Power BI report that uses a DirectQuery dataset from an Azure SQL Database. Users report that the report…
- A Power BI report contains a table visual that displays employee names and their total sales. The data model includes an…
- A data analyst creates a Power BI report that uses a date table with a continuous date range. They want to calculate the…
- Which TWO of the following are valid ways to create a measure in Power BI?
Last reviewed: Jun 24, 2026
This PL-300 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PL-300 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.