Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now! Learn more

Reply
Anonymous
Not applicable

Dynamic RLS By Group and Many to Many

‎07-18-2024 09:14 AM

Hi,

I have quite a few data tables that I need to use RLS based upon their contract.  There are some employees where they need to be able to see more than one contract.

I have a Sales Table and and an Employee Table and I want the employee to only see the sales for the contracts that they have access to.  

As an Example, Employee 2 could only see Contract B Sales.

 

I have been trying to play around witht this and I cannot seem to get it to work with using userpprincipal name.  I am guessing that I need a bridge table but just need a push in the right direction to get this work.   

 

Can someone help me?

Thanks

Sales   
 ContractMonthValue
 AJan-24500
 AFeb-24550
 BJan-24600
 BFeb-24650
 CJan-24700
 CFeb-24750

 

 

Employee Table   
 EmployeeIDEmailContract
 11@whatever.comA
 22@whatever.comB
 33@whatever.comA
 44@whatever.comC
 55@whatever.comB
 11@whatever.comC

 

 

 

 

 

 

Desired Results

 

      
View A   View by employee 1, 3
 ContractMonthValue  
 AJan-24500  
 AFeb-24550  
      
View C   View by Employee 1,4
 CJan-2450  
 CFeb-24100  

 

 

Labels:
Message 1 of 6
794 Views
0
1 ACCEPTED SOLUTION
Anonymous
Not applicable

‎07-18-2024 06:53 PM

Hi @Anonymous ,

I created my own data for testing:

vjunyantmsft_0-1721353615875.png

vjunyantmsft_1-1721353628441.png

Remember to create relationship between the two tables:

vjunyantmsft_2-1721353667163.png

Then create Dynamic RLS:

vjunyantmsft_3-1721353694347.png

After publishing to Service, in Semantic model > security:

vjunyantmsft_4-1721353751487.png

Add the accounts involved in RLS:

vjunyantmsft_5-1721353792929.png

Make sure that the user in the RLS is in the viewer role in the workspace, otherwise the RLS will not work!

vjunyantmsft_6-1721353853285.png

And the final output is as below:

vjunyantmsft_7-1721353972869.png


Best Regards,
Dino Tao
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

Message 2 of 6
744 Views
0
5 REPLIES 5
connect
Resolver I
Resolver I

‎07-23-2024 12:15 PM

Hi there, 
To implement Row-Level Security (RLS) in Power BI so employees only see sales data for their contracts, follow these steps:

Step 1: Create and Verify Tables

You already have:

  1. Sales Table with columns: Contract, Month, Value
  2. Employee Table with columns: EmployeeIDEmail, Contract

Step 2: Define Relationships

  1. Load both tables into Power BI.
  2. In Model view, create a relationship between:
    • Sales[Contract] and Employee[Contract].

Step 3: Set Up RLS

  1. Go to Modeling > Manage Roles.
  2. Create a new role named ContractAccess.
  3. Add a DAX filter to the Employee table:
     
    Use the following Code: 
     
    [EmployeeIDEmail] = USERPRINCIPALNAME()

Step 4: Assign and Test Roles

  1. Publish your report to Power BI Service.
  2. In the workspace, go to Security.
  3. Assign users to the ContractAccess role.
  4. Test by viewing the report as specific users to ensure proper data visibility.

This setup ensures employees only see the sales data relevant to their contracts.

Message 6 of 6
676 Views
0
Anonymous
Not applicable

‎07-23-2024 12:06 PM

Actually I guess I am just a bit worried about the many to many with the RLS.  It looks like that doesn't seem to be an issue here at all?  Thanks!

Message 5 of 6
687 Views
0
Anonymous
Not applicable

‎07-23-2024 07:49 AM

Would you mind sharing that file with me?  Thanks!

Message 3 of 6
695 Views
0
Anonymous
Not applicable
In response to Anonymous

‎07-23-2024 05:24 PM

Hi @Anonymous ,

Sorry I can't share the pbix file. Because testing Dynamic RLS requires the use of some organisational accounts, which means that it contains sensitive data that I can't share with others because of the company's security policy.

But really you don't need to worry about what type of relationship you have, you just need to have a clear definition of who can see what between the two tables and then create the relationship based on that definition.

Best Regards,
Dino Tao
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 4 of 6
665 Views
0
Anonymous
Not applicable

‎07-18-2024 06:53 PM

Hi @Anonymous ,

I created my own data for testing:

vjunyantmsft_0-1721353615875.png

vjunyantmsft_1-1721353628441.png

Remember to create relationship between the two tables:

vjunyantmsft_2-1721353667163.png

Then create Dynamic RLS:

vjunyantmsft_3-1721353694347.png

After publishing to Service, in Semantic model > security:

vjunyantmsft_4-1721353751487.png

Add the accounts involved in RLS:

vjunyantmsft_5-1721353792929.png

Make sure that the user in the RLS is in the viewer role in the workspace, otherwise the RLS will not work!

vjunyantmsft_6-1721353853285.png

And the final output is as below:

vjunyantmsft_7-1721353972869.png


Best Regards,
Dino Tao
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 2 of 6
745 Views
0

Helpful resources

Announcements
Power BI DataViz World Championships

Power BI Dataviz World Championships

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now!

December 2025 Power BI Update Carousel

Power BI Monthly Update - December 2025

Check out the December 2025 Power BI Holiday Recap!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All