Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Did you hear? There's a new SQL AI Developer certification (DP-800). Start preparing now and be one of the first to get certified. Register now

Reply
Anonymous
Not applicable

Data masking - RLS

‎11-08-2023 11:24 AM

Hi community, I am lost with masking of usernames. 


We have team managers that are responsible for teams and users. My (simplified) data model is as below.
A fact table with number of actions by users. A dimension table with users and teams. With a relation between UserTeam-dimension and fact table on User(ID). Then a disconnected RLS table and a role that filters RLS table by logged in manager on userprincipalname.
If mgr1@email logs in the RLS table gets correctly filtered, for users 1, 2 and 3.

The result should be a table or chart where all data for teams and actions is shown. But usernames only exposed according to the logged in manager. Usernames of other teams should be masked.

 

The idea seemed to be easy. Like this - If user to be shown in result table/chart is given in filtered RLS table then show the user, if not then mask. Or as alternative, if maybe pssible by appropriate relations, show blank if user is not given in filtered RLS. Actually in my dataset I have teams and users in separate tables, combined with a relation table connected to fact table. That should make it possible to show teams, but not users. 

 

Have tried many ways, for example to add a calculated column with LOOKUP, CONTAINS on fact userid = RLS userid etc. But all failed. Lookup for example brings "true" for all users, even if the RLS table is filtered.

My first try was with a relation between RLS and User table. But this simply filters on users 1/2/3 and excludes users 4/5/6.

Also strange, a relation between RLS and User table apparently did work in desired way in the past in published report. But all of a sudden, after data refresh or re-publish it got lost.

 

Would be more than happy if someone can guide me to a solution. 
Many thanks in avance!

 

Gerhard 

Mask RLS.png

 

Message 1 of 3
574 Views
0
2 REPLIES 2
lbendlin
Super User
Super User

‎11-12-2023 05:08 PM

The purpose of RLS is to restrict access to rows, not to modify the contents of columns in a row.  What you are trying to achieve needs to be done outside of / in addition to RLS.

Message 2 of 3
502 Views
0
Anonymous
Not applicable
In response to lbendlin

‎11-12-2023 11:51 PM

Thanks Ibendlin!

Understand that RLS purpose is to restrict access to rows.

Just thought there,might be some trick to (mis)use RLS for masking data ... as some kind of lookup. 

As for my example. mgr1@email view secured by RLS showing users 1/2/3, that's ok. But if something like outer lookup to users table is null/false than do not exclude users like 4/5/6, but show them masked

 

Message 3 of 3
494 Views
0

Helpful resources

Announcements
April Power BI Update Carousel

Power BI Monthly Update - April 2026

Check out the April 2026 Power BI update to learn about new features.

Fabric SQL PBI Data Days

Data Days 2026 coming soon!

Sign up to receive a private message when registration opens and key events begin.

New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

Power BI DataViz World Championships carousel

Power BI DataViz World Championships - June 2026

A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.

View All