March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount! Early bird discount ends December 31.
Register NowBe one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now
Hi,
I know this isn't strictly Power BI, but maybe someone in here are able to help.
I have a number of Tabular models, where I'd like to restrict which dimension values a user can see. I already have Dynamic RowLevel Security defined to restrict the Fact table, but since it's a "global" Tabular model that contains data for several companies, I'd like to "filter out" the dimension values for the user so he don't have to see data for other companies than his own.
The DRLS is created ,so it matches the userID in a table, and this then filters a Legal Company table which then have a relationship to the Fact table. That part works fine and the user only see fact records from his own legal company.
I'd then like to so something similar with the dimension data, but since I can't create relationships from the Legel Company table to the dimension tables, then I was thinking about doing it in the Security Role. I was thinking about a rule looking at the Legal Company for the dimension and then "filtering" based on the data from the Legal Company table that only contains the legal company the user are allowed to see.
I'm not that experienced in DAX yet, and I can't really figure out how to do it? I have tried various scripts with no luck, so I'd be happy with some idea and guidance.
Regards
Steen
Hi Steen,
This is an interesting one 🙂
Just restating the situation, to make sure I have understood things correctly:
Hopefully the above is correct! 🙂
There are no doubt a few ways to approach this. I have attached a PBIX showing one example of how the RLS filter expressions could be set up.
In my constructed example, I have Legal Company 01 to Legal Company 10.
For each XY = 01..10:
As an example, when user01@contoso.com accesses the dataset, only Legal Company 01 (and related fact rows) are visible, as well as only Customer 01 and Product 01.
To achieve this, the logic I have applied in the RLS filter expressions for the other dimension tables (Customer and Product in my case) is:
For example the RLS filter expression for the Customer table is:
VAR CurrentUser = USERPRINCIPALNAME ()
-- Get a list of companies for current user from RLS table
VAR CurrentUserCompanyKey =
CALCULATETABLE (
VALUES ( RLS[Legal Company Key] ),
RLS[Email] = CurrentUser
)
-- Check if FactTable nonempty when applying filter on current Customer row
-- plus RLS filter on Legal Company
VAR CurrentCustomerRequired =
CALCULATE (
NOT ISEMPTY ( FactTable ),
TREATAS (
CurrentUserCompanyKey,
'Legal Company'[Legal Company Key]
)
)
RETURN
CurrentCustomerRequired
In your tabular model, the way that you determine CurentUserCompanyKey may well be different (and will be based on the 'Legal Company' RLS expression), but the code after that could be pretty similar.
Does something like this work at your end (I'm assuming you're working with Azure Analysis Services or SQL Server Analysis Services Tabular)?
Regards,
Owen
March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!
User | Count |
---|---|
27 | |
17 | |
16 | |
12 | |
11 |
User | Count |
---|---|
37 | |
29 | |
26 | |
20 | |
16 |