Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join the FabCon + SQLCon recap series. Up next: Power BI, Real-Time Intelligence, IQ and AI, and Data Factory take center stage. All sessions are available on-demand after the live show. Register now

Reply
Jaize
Regular Visitor

How do you apply dynamic RLS in OneLake Security

‎04-17-2026 01:03 AM

I have a fact table inside my lakehouse and another user mapping table/file, how do I create a role which applies dynamic RLS based on the fact table’s user_id equivalent to the user mapping table/file’s id?

I’m trying to use the following SQL script but unfortunately, it won’t allow subqueries:

SELECT *

FROM dbo.test_fact_table

WHERE owner_id IN (

SELECT id

FROM dbo.user_mapping_file

WHERE name = CURRENT_USER()

)

Any help is appreciated. Thank you!

Labels:
Message 1 of 8
378 Views
0
2 ACCEPTED SOLUTIONS
tayloramy
Super User
Super User

‎04-17-2026 06:39 AM

Hi @Jaize ,  

The RLS rules don't allow subqueries, or the full SQL langauge at all for that matter. 

All rules must be in this form: 
SELECT * FROM {schema_name}.{table_name} WHERE {column_level_boolean_1}{column_level_boolean_2}...{column_level_boolean_N} 

 

I hope this is improved when OneLake Security goes GA. 

 

For now, the best option is to add the user column to the table you are filtering in your ETL process. 

 

If you want to learn more about OneLake Security, there's a live event happening on Tuesday at 18:00 UTC in the Fabric Discord server! https://discord.com/invite/RVFRmQyX?event=1487504921761677557

 





If you found this helpful, consider giving some Kudos.
If I answered your question or solved your problem, mark this post as the solution!
Join the Fabric Discord!

Proud to be a Super User!



View solution in original post

Message 2 of 8
372 Views
rizalard0684
Advocate II
Advocate II
In response to Jaize

‎04-19-2026 01:17 AM

+1 to @tayloramy that you can’t use subqueries or joins in OneLake / Fabric SQL RLS (as of today).

Regarding USERPRINCIPALNAME(), unfortunately there is no equivalent of USERPRINCIPALNAME() (DAX) available for OneLake / Lakehouse SQL RLS (as of today), this may work in Power BI DAX RLS with USERPRINCIPALNAME() but not in OneLake/Lakehouse.

My only suggestion is the same as @tayloramy's above, bring your user data (e.g. owner_email) into your fact table.

View solution in original post

Message 4 of 8
276 Views
7 REPLIES 7
v-karpurapud
Community Support
Community Support

Thursday

Hi @Jaize 

Thank you for posting your query in the Microsoft Fabric Community Forum, and thanks to @tayloramy , @rizalard0684 , @BHANUPURAM and @anuragccsu   for sharing valuable insights.

 

Could you please confirm if your query has been resolved by the provided solution?If you have any more questions, please let us know and we’ll be happy to help.

Regards,

Microsoft Fabric Community Support Team.

 

Message 7 of 8
147 Views
0
v-karpurapud
Community Support
Community Support
In response to v-karpurapud

Sunday

Hi @Jaize 

Following up since we haven't heard back regarding our previous message. Have you had a chance to review the information above? Please let us know if you have any further questions.

Regards,

Microsoft Fabric Community Support Team.



Message 8 of 8
80 Views
0
anuragccsu
Frequent Visitor

‎04-20-2026 05:55 AM

@Jaize 

In Microsoft Fabric's SQL Analytics Endpoint, you cannot apply a raw SELECT statement directly as a filter. This is same as explained by @BHANUPURAM .

You must:

1. Create a Security Function and then

2. Apply a Security Policy.

 

Why USERPRINCIPALNAME() won't work:

  • USERPRINCIPALNAME() is a DAX function used in Power BI measures and Power BI-side RLS.

  • Fabric SQL Analytics Endpoint uses the T-SQL engine.

Please refer the Microsoft Learn documentation on how to create the secrity function and policy:

https://learn.microsoft.com/en-us/fabric/data-warehouse/row-level-security 

Message 6 of 8
198 Views
BHANUPURAM
Advocate I
Advocate I

‎04-19-2026 10:18 PM

Hello Jaize,

 

Prerequisites (Access + Where to Configure):
Ensure you’re applying RLS on  the SQL analytics endpoint of a Lakehouse (this is where T‑SQL RLS is supported)
You need elevated permissions to create security objects (typically Workspace Admin/Member/Contributor or “Control permissions” on the SQL endpoint
  understood that you created user table where you maintain the user details
consider a table like dbo.user_mapping_file that maps the logged-in identity to permitted owner_id values (or whatever key filters your fact table 
Ensure the identity column in your mapping table matches what SQL can evaluate (commonly USER_NAME())
How to create RLS
step 1 : Create a Security Schema  

CREATE SCHEMA Security;
GO

STEP 2: Create a Table value function as follows:

CREATE FUNCTION Security.fn_owner_rls(@owner_id INT)
RETURNS TABLE
WITH SCHEMABINDING
AS
RETURN
(
    SELECT 1 AS fn_owner_rls_result
    WHERE EXISTS
    (
        SELECT 1
        FROM dbo.user_mapping_file um
        WHERE um.id = @owner_id
          AND um.name = USER_NAME()
    )
);
GO

Ensure that  rows where fact.owner_id exists for the current user in user_mapping_file 

Step 3:

Create and Enable the SECURITY POLICY (Attach Predicate to Fact Table)

CREATE SECURITY POLICY Security.OwnerAccessPolicy
ADD FILTER PREDICATE Security.fn_owner_rls(owner_id)
ON dbo.test_fact_table
WITH (STATE = ON);
GO 
RLS enforcement happens by creating a SECURITY POLICY and attaching a FILTER PREDICATE to the target table/column.
 
For the Lakehouse SQL analytics endpoint, remember the enforcement mode can influence whether SQL permissions vs OneLake roles drive access behavior
 step 4:
Testing / Validation Steps:
SELECT * FROM dbo.test_fact_table;  
 
You should see only the rows where owner_id is mapped to the querying identity (based on the predicate logic). 

 

please give KUDOS if you like my solutions  

 

Regards,

Bhanu Priya

 

Message 5 of 8
230 Views
tayloramy
Super User
Super User

‎04-17-2026 06:39 AM

Hi @Jaize ,  

The RLS rules don't allow subqueries, or the full SQL langauge at all for that matter. 

All rules must be in this form: 
SELECT * FROM {schema_name}.{table_name} WHERE {column_level_boolean_1}{column_level_boolean_2}...{column_level_boolean_N} 

 

I hope this is improved when OneLake Security goes GA. 

 

For now, the best option is to add the user column to the table you are filtering in your ETL process. 

 

If you want to learn more about OneLake Security, there's a live event happening on Tuesday at 18:00 UTC in the Fabric Discord server! https://discord.com/invite/RVFRmQyX?event=1487504921761677557

 





If you found this helpful, consider giving some Kudos.
If I answered your question or solved your problem, mark this post as the solution!
Join the Fabric Discord!

Proud to be a Super User!



Message 2 of 8
373 Views
Jaize
Regular Visitor
In response to tayloramy

‎04-17-2026 07:11 AM

Thank you for your response, tayloramy.

 

I was just wondering.. is there an equivalent to the USERPRINCIPALNAME() DAX function to fetch the UPN or email address of the viewer I can equate to my username/email column? Apparently, CURRENT_USER() is not working either.

Message 3 of 8
364 Views
0
rizalard0684
Advocate II
Advocate II
In response to Jaize

‎04-19-2026 01:17 AM

+1 to @tayloramy that you can’t use subqueries or joins in OneLake / Fabric SQL RLS (as of today).

Regarding USERPRINCIPALNAME(), unfortunately there is no equivalent of USERPRINCIPALNAME() (DAX) available for OneLake / Lakehouse SQL RLS (as of today), this may work in Power BI DAX RLS with USERPRINCIPALNAME() but not in OneLake/Lakehouse.

My only suggestion is the same as @tayloramy's above, bring your user data (e.g. owner_email) into your fact table.

Message 4 of 8
277 Views

Helpful resources

Announcements
FabCon and SQLCon Highlights Carousel

FabCon &SQLCon Highlights

Experience the highlights from FabCon & SQLCon, available live and on-demand starting April 14th.

New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

March Fabric Update Carousel

Fabric Monthly Update - March 2026

Check out the March 2026 Fabric update to learn about new features.

View All