Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
NielsBakker
Frequent Visitor

Dynamic RLS and using DirectQuery

Friday

@speedramps again thank you very much for your help. Really appreciate your time and help for trying to solve this issue. I hope I've explained my issue as clear as possible. 

 

Goal

Set up flexible (dynamic) Row-Level Security (RLS) in Power BI using a UserSecurity table that filters a FactTable.
When a user logs in, the UserSecurity table should filter to that user, which in turn should filter the FactTable to only show data the user is allowed to see.

 

Requirements

  • All tables in the data model use DirectQuery.
  • The UserSecurity table must support wildcards to indicate full access, in this case I use 0. The reaon for this is that I want to avoid that the table will get extremely large.
    • Example: If a user has access to all ResourceGroups within a Subscription, the ResourceGroup field should be 0.
  • A key use case to support is (please see attached Excel file (UserSecurity) for the full overview:
    • User 16 has access to:
      • All ResourceGroups in Subscription 17
      • Only ResourceGroup 15348  in Subscription 25

Limitations

  • Because I’m using DirectQuery, I cannot use functions like CALCULATE or COUNTROWS in Manage Roles for RLS (they are disabled).
  • If a relationship between the tables is needed, a many-to-many relationship is needed between UserSecurity and the FactTable because:
    • Multiple users in UserSecurity
    • Each user can have multiple different access rules (some full access via wildcard, some partial)
    • However, many-to-many relationships are problematic with DirectQuery

What I've Tried

  • It works perfectly in Import Mode (use Test 1 as Role), but I must use DirectQuery. Please see attached PBI how it should work.
  • I’m stuck translating the logic into a DAX approach that works in DirectQuery mode with these constraints.

Ask
How can I implement this kind of dynamic RLS with wildcard support in DirectQuery mode?

 

I've attached 2 Excel files and a PowerBI file that can be used. Sorry, I don't know how to share a DirectQuery model because of privacy concerns. I hope this Excel files gives enough context. 

 

Link to download files: https://we.tl/t-PONAaflP8Q 

 

Many thanks again, and appreciate the help! 

 

Kind regards,

Niels

 

Message 1 of 6
100 Views
0
5 REPLIES 5
speedramps
Super User
Super User

Friday

Hi again @NielsBakker 

 

This users has posted some good videos about RLS with Direct Query that you might find interesting

 

 

 

Message 6 of 6
46 Views
0
speedramps
Super User
Super User

Friday

HI @NielsBakker 

 

If you MUST use direct query then consider implementing the row level security inside the source system rather than Power BI.

 

For example if the source is SQL Server, MY SQL or Oracle then implement the security in there rather than Power BI.

The data base administator will help you to that, or you can learn how via the SQL Server, MY SQL or Oracle comuinity forums.

 

Alternatively consider Power BI  Import Mode, a composite model or Fabric Direct Lake so that you can leverage all DAX comands inside Power BI RLS (Row Level Security).

 

Sorry, this is not the answer you want, but one of the reasons that Fabric Direct Lake is becoming so populare is that it is ideal for semantic models with RLS regardless of the data source.

Learn about Fabric Direct Lake here

https://learn.microsoft.com/en-us/fabric/fundamentals/direct-lake-overview

 

Message 5 of 6
53 Views
0
speedramps
Super User
Super User

Friday

Hi again @NielsBakker 

 

This example shows how to implement RLS so a person can be given access to just some or all stores in a country.

The Security table stipulates who has access to which stores in which countries.

The * asterisk denotes that a person has access to all stores in the designated country unless then is an "X" in the block column.

Note that several countries may have identical store names but they are separate stores.

Use the View As function to test Mark, Peter, Sue, Tim, Katy and Jane have the correct restricted access to the Fact table secrets.

 

speedramps_3-1752848380487.png


I know that you require Direct Query and I will try answer that later. 
This solution works for Import Mode, Fabrix Driect Lake and potentially a Composite Mode.

You will need to rename the tables and columns names for your Resources Groups and Subscriptions. 
You will also need to have the * and X  to your  I and 0.

 Click here to download PBIX from OneDrive 

 

Note that Security and Fact table have a Many to Many relation with Both cross filter direction.

This will generate a red triangle warning, which you can ignore because it is ok in this scenario.

speedramps_0-1752847946461.png

 

In Manage Roles the Securiry table has a RLS (Row Lecve; Security) Filter for the login username 

speedramps_1-1752848108525.png

 

Whereas the Fact table uses DAX to determin the RLS Filter

speedramps_2-1752848219505.png

 

Here is the DAX RLS filter logic

 

// create a temp table allowed stores for the User and Country
VAR allow = 
   CALCULATETABLE(
    VALUES(Security[Store]),
    Security[User] = USERNAME(),
    Security[Block] <> "X"
    )

// create a temp table prevented stores for the User and Country
VAR prevent = 
   CALCULATETABLE(
    VALUES(Security[Store]),
    Security[User] = USERNAME(),
    Security[Block] = "X"
    )

RETURN
// Allow the user access if the country store or * is in the allow temp table.
// But prevent acceess if that user country store is blocked.

(
    [Store] IN allow
    ||
    "*" IN allow
)

&& NOT [Store] IN prevent

 

Test by using View as Jane who has access to

  • All store in France
  • Just stores 1 and 4 in the UK
  • And all stores in USA except 1 and 3 

Works perfectly.

I like how how this solution is easily to understand, develop, test and maintain.

So you can easily make changes to the security config table as when staff need access adding or removing.

 

speedramps_4-1752848504046.png

 

 

 

Message 4 of 6
55 Views
0
FBergamaschi
Post Prodigy
Post Prodigy

Friday

Hi,

limitations are due to the need to translate in SQL complex DAX statements.

 

the CALCULATE and COUNTROWS calculations you need to perform are working on facts/dimensions/bridges or on the security table? I am asking because you might consider (maybe) to import only the security table if the CALCULATE and COUNTROWS calculations you need to perform and on the security table

 

Othwerwise either you import (not an option, if I understand correclty) or you write an old style DAX, that will be painful though

 

If this helped, please consider giving kudos and mark as a solution

@me in replies or I'll lose your thread

consider voting this Power BI idea

Francesco Bergamaschi

MBA, M.Eng, M.Econ, Professor of BI

Message 2 of 6
71 Views
NielsBakker
Frequent Visitor
In response to FBergamaschi

Friday

@FBergamaschi thanks for your response! 

 

I've tried to import only the security table, and use Direct Query for the FactTable. But in Manage Roles, the DAX is still referencing to the DirectQuery table and therefore, is not allowed to use unfortunately. 

 

But thanks for thinking with me!

Message 3 of 6
61 Views
0

Helpful resources

Announcements
July PBI25 Carousel

Power BI Monthly Update - July 2025

Check out the July 2025 Power BI update to learn about new features.

Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All