Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Be one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now

Reply
jmunn
Regular Visitor

Multiple Role-Playing Dimension and RLS

‎12-12-2024 01:04 PM

Hi, 

 

I've browsed around existing questions for a while but so far haven't seen my issue, and ChatGPT is giving me the runaround so far, so figured I would post my question. It has to do with the intersection of multiple-role-playing dimensions and RLS. 

 

In my data model, I have a fact table in which location is used in two ways - let's say location_departure and location_arrival. I have a separate dimension table containing all the location values. Since I need to filter/interact with the fact table using location across both fields and can't have two active relationships, and because this dimension table is relatively small, I copied it using Reference in Power Query, so now have two identical tables that can filter on location_departure and location_arrival, respectively. So far so good, and this works beautifully for a user with access to all the data.

 

However, I need RLS to restrict users to only allowable locations. So I've added a role using USERPRINCIPALNAME() that checks for the user in each of the the location_departure dimension table and location_arrival table. That works too so far. 

 

The issue becomes how that RLS is filtering the fact table. I need users to have access to records in the fact table when the user's location value matches either location_departure OR location_arrival. Here's what I'd like a user to have access to:

jmunn_2-1734037124510.png

 

But the way it's working now, it's applying both filters to the fact table so that the only records available to the user are those where both the location_departure and location_arrival values are the same:

 

jmunn_3-1734037163539.png

 

I understand what's happening, but I can't figure out a way around this issue. Any help or thoughts on a different approach?

 

Thank you for any insights. 

Labels:
Message 1 of 10
325 Views
0
1 ACCEPTED SOLUTION
v-jianpeng-msft
Community Support
Community Support
In response to jmunn

‎12-18-2024 10:11 PM

Hi, @jmunn 

Based on the image you showed at the end, I've created a simple data set:

vjianpengmsft_0-1734588409236.png

My relationship is as follows:

vjianpengmsft_1-1734588438759.png

I created an RLS role as follows:

vjianpengmsft_2-1734588480972.png

vjianpengmsft_3-1734588488527.png

FACT Table DAX:

VAR _user_location = MAXX(FILTER('UserInfo','UserInfo'[Email] = USERPRINCIPALNAME()),'UserInfo'[Location])
VAR _table = SELECTCOLUMNS(CALCULATETABLE('REF',FILTER('REF','REF'[Location] = _user_location)),'REF'[DepartmentArrivalCombination])
RETURN 'FACT'[DepartmentArrivalConcatenated] IN _table

Be able to get the results you expect:

vjianpengmsft_4-1734588608794.png

I've uploaded the PBIX file I used this time below.

 

 

Best Regards

Jianpeng Li

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

 

 

 

View solution in original post

RLS111.pbix
Message 7 of 10
107 Views
0
9 REPLIES 9
v-jianpeng-msft
Community Support
Community Support

‎12-17-2024 05:56 PM

Thank you for your solution AMeyersen and lbendlin 

Hi, @jmunn 

I wish you all the best. Super user and AMeyersen from the previous forum have provided solutions to help you solve the problem. I see that AMeyersen provides detailed screenshots and DAX expressions, I would like to confirm, have you successfully solved this issue or do you need further help?
If yes, you are welcome to share your workaround and mark it as a solution so that other users can benefit as well. If you find a reply particularly helpful to you, you can also mark it as a solution.
If you still have any questions or need more support, you can ask them in a new post and we are more than happy to continue to help you.

 

Best Regards

Jianpeng Li

Message 8 of 10
169 Views
0
jmunn
Regular Visitor
In response to v-jianpeng-msft

‎12-18-2024 07:22 AM

Hi @v-jianpeng-msft, my apologies for not replying sooner.

 

I am currently attempting the ideas that @AMeyersen and @lbendlin suggested, so not sure if I need further help or not.  I will reply to each directly. 

Message 9 of 10
153 Views
0
AMeyersen
Resolver II
Resolver II
In response to jmunn

‎12-18-2024 07:40 AM

Hi @jmunn ,

 

in the usual approach to set up a star schema, the fact table would not filter the dimension tables.
You can test using a bidrectional relationship betwenn the fact table and the two dimension tables. Make sure to check "enable security filter in both directions" in the relationship settings.

Then users would only see dimension values which are relevant for them. I am not sure about performance penalties in this approach. That's something you'd need to test.

Message 10 of 10
145 Views
AMeyersen
Resolver II
Resolver II

‎12-13-2024 01:23 AM

Hi @jmunn ,
if RLS does not need to apply to dimensions (users may see all dimension values) you could use a much simpler approach.

  1. Disconnect the RLS table from both dimension tables
    AMeyersen_0-1734081513706.png

  2. Update the RLS statement using the advanced editor and filter directly on the fact table
    AMeyersen_1-1734081621955.png

  3. use a statement like this for RLS:

 

OR (
    [Location_Arrival]
        == LOOKUPVALUE ( 'RLS-Table'[Location], 'RLS-Table'[Email], USERPRINCIPALNAME () ),
    [Location_Departure]
        == LOOKUPVALUE ( 'RLS-Table'[Location], 'RLS-Table'[Email], USERPRINCIPALNAME () )
)​

If multiple locations can be assigned to single users, the DAX statement would look something like this:

VAR _locations =
    SELECTCOLUMNS (
        CALCULATETABLE ( 'RLS-Table', 'RLS-Table'[Email] = USERPRINCIPALNAME () ),
        [Location]
    )
RETURN
    OR ( [Location_Arrival] IN _locations, [Location_Departure] IN _locations )

 

Message 5 of 10
232 Views
0
jmunn
Regular Visitor
In response to AMeyersen

‎12-18-2024 07:41 AM

 

 

Thank you @AMeyersen!

Re: whether users may see all dimension values or not: there are ~1700 dimension values in total, so it would be somewhat cumbersome for a user to have to navigate among them, even with search enabled in the slicer. However, if I understand your suggested approach correctly, the now-RLS-filtered fact table should be able to filter the two dimension tables anyway? 

I had another question regarding this solution re: applying RLS to the fact table directly: There's a possibility that my data model will eventually grow to include additional fact tables. Would this solution be extendable to those fact tables also, or would they need to filter via relationship to the current fact table?

Message 6 of 10
143 Views
0
v-jianpeng-msft
Community Support
Community Support
In response to jmunn

‎12-18-2024 10:11 PM

Hi, @jmunn 

Based on the image you showed at the end, I've created a simple data set:

vjianpengmsft_0-1734588409236.png

My relationship is as follows:

vjianpengmsft_1-1734588438759.png

I created an RLS role as follows:

vjianpengmsft_2-1734588480972.png

vjianpengmsft_3-1734588488527.png

FACT Table DAX:

VAR _user_location = MAXX(FILTER('UserInfo','UserInfo'[Email] = USERPRINCIPALNAME()),'UserInfo'[Location])
VAR _table = SELECTCOLUMNS(CALCULATETABLE('REF',FILTER('REF','REF'[Location] = _user_location)),'REF'[DepartmentArrivalCombination])
RETURN 'FACT'[DepartmentArrivalConcatenated] IN _table

Be able to get the results you expect:

vjianpengmsft_4-1734588608794.png

I've uploaded the PBIX file I used this time below.

 

 

Best Regards

Jianpeng Li

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

 

 

 

RLS111.pbix
Message 7 of 10
108 Views
0
lbendlin
Super User
Super User

‎12-12-2024 03:29 PM 
I need users to have access to records in the fact table when the user's location value matches either location_departure OR location_arrival.

Create a reference table that lists all combinations in your fact table for departure and arrival.

Create another reference table with all locations.

 

Control the locations table from the RLS.

Control the combinations table from the locations table

Control the fact table from the combinations table.

Message 2 of 10
281 Views
0
jmunn
Regular Visitor
In response to lbendlin

‎12-12-2024 07:39 PM

Thank you @lbendlin for this.

I'm trying to figure out how that would work: 

jmunn_1-1734060757746.png

In this approach, it seems that for each location, the Combinations table needs to include a record for every combination in which that location is involved, departure and/or arrival. 

 

Is this what you had in mind?

Message 3 of 10
246 Views
0
lbendlin
Super User
Super User
In response to jmunn

‎12-13-2024 04:23 AM

Please provide sample data that fully covers your issue.

Message 4 of 10
219 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

Dec Fabric Community Survey

We want your feedback!

Your insights matter. That’s why we created a quick survey to learn about your experience finding answers to technical questions.

ArunFabCon

Microsoft Fabric Community Conference 2025

Arun Ulag shares exciting details about the Microsoft Fabric Conference 2025, which will be held in Las Vegas, NV.

December 2024

A Year in Review - December 2024

Find out what content was popular in the Fabric community during 2024.

View All