Hi sumanthkakarla,

Based on my understanding, the newly created dimension tables (Health System, Facility, Test ID) are disconnected dimensions, meaning they are not naturally filtered by Row-Level Security (RLS) applied to the fact table. Power BI does not allow filter propagation from the fact table to the dimension tables in single-directional relationships. By default, filters only flow from dimension tables to fact tables. Consequently, even though RLS is filtering the fact table, the slicers from the new dimension tables will still display all values, as they are not filtered through RLS.

Please follow the approach outlined below, which may assist in resolving the issue:

1. Apply bidirectional relationships only to the slicer dimensions that are necessary for filtering (for example, Health System, Facility, Test ID). Since these dimensions are derived directly from the fact table, Power BI requires a bidirectional flow to enable the fact table, which is RLS-filtered, to pass the filter context back to the dimension tables.
2. Ensure that this is applied only to low-cardinality dimensions (such as Health System) and avoid applying it to all dimensions simultaneously to prevent query performance issues. To accomplish this:
   1. In Model View, click the relationship arrow between the fact table and each dimension table.
   2. Set the Cross-filter direction to Both.
   3. Enable "Apply security filter in both directions" only if the slicers must respond to RLS.

This will ensure that your slicers display only relevant values once RLS is applied.

If you find this response helpful, kindly mark it as the accepted solution and provide kudos. This will assist other community members who are facing similar queries.

Thank you.

Hi sumanthkakarla,

We have not received a response from you regarding the query and were following up to check if you have found a resolution. If you have identified a solution, we kindly request you to share it with the community, as it may be helpful to others facing a similar issue.

If you find the response helpful, please mark it as the accepted solution and provide kudos, as this will help other members with similar queries.

Thank you.

Hi sumanthkakarla,

In the current configuration, the filter flows from CLIENT_LOOKUP to client_account_bridge, thereby allowing all data to pass through unrestricted.

In my view, the issue arises due to the direction of the filter. It should flow in the opposite direction from client_account_bridge to CLIENT_LOOKUP in order to effectively enforce Row-Level Security (RLS) restrictions.

By setting the cross-filter direction to Both and applying RLS on the client_account_bridge table, end users will be able to view only their assigned accounts. Meanwhile, internal users with full access will be able to view all data without any limitations.

If you find our response helpful, we kindly request you to mark it as the accepted solution and provide your valuable kudos. This will assist other community members who may have similar queries.

Thank you.

Hi sumanthkakarla,

Thank you for your follow-up.

Kindly follow the steps mentioned below, which may assist in resolving the issue:

1. Ensure that relationships are configured with single-directional filtering to support Row-Level Security (RLS):

   • USER_LOOKUP → client_account_bridge.Establish a one-to-many relationship with the filter flowing from USER_LOOKUP to client_account_bridge.

   • client_account_bridge → CLIENT_LOOKUP.Define a many-to-one relationship with the default filter flowing from CLIENT_LOOKUP to client_account_bridge. The RLS filter direction will be managed in Step 2.

   • CLIENT_LOOKUP → TAT Only.Create a one-to-many relationship with the filter flowing from CLIENT_LOOKUP to TAT Only.

   In the Model view, double-click on each relationship to confirm the cardinality, and set the Cross-Filter Direction to "Single" to ensure predictable filter propagation and optimal performance.

2. To ensure that the RLS filter propagates correctly from client_account_bridge to CLIENT_LOOKUP and subsequently to TAT Only:

   • Apply the RLS filter to the client_account_bridge table. This will restrict the bridge table based on the logged-in user, allowing the filter to naturally propagate through the relationships to CLIENT_LOOKUP and TAT Only. This method eliminates the need for bidirectional filtering.

   • Navigate to the Modeling tab, click on Manage Roles, and create a new role named "Dynamic RLS".

   • Apply the RLS filter to client_account_bridge to determine whether the logged-in user has access to all data (based on a predefined condition) or only their assigned accounts.

   • Save the role and test its functionality using the View As feature with sample users (e.g., an internal user with full access and an external user with restricted access).

This approach ensures that the correct data is displayed while maintaining optimal performance by avoiding bidirectional filtering.

If you find this response helpful, kindly mark it as the accepted solution and provide your feedback. Your acknowledgment will assist other community members facing similar queries.

Thank you.

Hi sumanthkakarla,

Thank you for your follow-up query. I sincerely apologise for any confusion.

1.The data model employs a bridge table to resolve the many-to-many relationship between USER_LOOKUP and CLIENT_LOOKUP, which is the appropriate approach. However, it is essential to ensure that the relationships are configured with single-directional filtering to facilitate the correct propagation of the RLS filter.

The relationships should be defined as follows:

USER_LOOKUP[USERNAME] → Bridge Table[USERNAME] (One-to-Many, Single Direction).

Bridge Table[CLIENT_ACCOUNT_NUMBER] → CLIENT_LOOKUP[CLIENT_ACCOUNT_NUMBER] (Many-to-One, Single Direction).

CLIENT_LOOKUP[CLIENT_ACCOUNT_NUMBER] → TAT Only[CLIENT_ACCOUNT_NUMBER] (One-to-Many, Single Direction).

In the Model View, kindly double-click on each relationship and set the Cross Filter Direction to Single (not Both). This configuration ensures that the RLS filter flows correctly from USER_LOOKUP to TAT Only through the bridge table.
2.Please apply the following DAX expression to the USER_LOOKUP table for RLS and verify if it resolves the issue:

VAR UserHasAllAccess =
CALCULATE(
COUNTROWS('Bridge Table'),
'Bridge Table'[USERNAME] = USERPRINCIPALNAME() &&
'Bridge Table'[CLIENT_ACCOUNT_NUMBER] = "ALL"
) > 0

RETURN
UserHasAllAccess || 'Bridge Table'[USERNAME] = USERPRINCIPALNAME()

Next, navigate to Modeling, select Manage Roles, and create a new role named Dynamic RLS. Apply the above DAX expression to USER_LOOKUP and save the changes. This configuration ensures that internal users have access to all data, whereas external users can view only their respective accounts.

To test RLS, go to Modeling, select View As, and choose the Dynamic RLS role.

If you find our response helpful, kindly mark it as the accepted solution and provide kudos, as this will assist other community members facing similar queries.

Thank you.

Hi sumanthkakarla,

Thank you for the update.

Kindly follow the steps mentioned below, which may help resolve the issue:

1. Internal users should have access to all data, whereas external users should only be able to view data linked to specific accounts.The revised DAX logic should ensure that if the logged-in user has "ALL" as their CLIENT_ACCOUNT_NUMBER, they are granted full access. Otherwise, they should only be able to view data associated with their assigned accounts.
   
   VAR UserHasAllAccess =
   CALCULATE(

        COUNTROWS( 'NEW_ACCOUNT_MAP' ),

        'NEW_ACCOUNT_MAP'[USERNAME] = USERPRINCIPALNAME() &&

        'NEW_ACCOUNT_MAP'[CLIENT_ACCOUNT_NUMBER] = "ALL"

    ) > 0

RETURN

    UserHasAllAccess ||

    'NEW_ACCOUNT_MAP'[USERNAME] = USERPRINCIPALNAME()

This optimized DAX logic eliminates unnecessary FILTER and MAXX functions, reducing computational overhead.
 

2. Correcting Table Relationships (Single-Directional Filtering)
   
   

   USER_LOOKUP[USERNAME] → CLIENT_LOOKUP[CLIENT_ACCOUNT_NUMBER]

   CLIENT_LOOKUP[CLIENT_ACCOUNT_NUMBER] → TAT Only[CLIENT_ACCOUNT_NUMBER]

    

   USER_LOOKUP should filter CLIENT_LOOKUP, which in turn filters TAT Only.To enhance performance, avoid many-to-many (M:M) relationships. Ensure single-directional filters for correct data propagation.

If you find our response helpful, kindly mark it as the accepted solution and provide kudos. This will assist other community members facing similar queries.

Thank you.

Thank you @v-pnaroju-msft i will give it a try and let you know, our dashbaord has 4 visuals, one of the visual is detailed data, so i can't aggrigate data before importing.

Quick question is, about the revised dax that you are suggesting, so if my logged in user in my account map table and his clienct_account_number says ALL then only i have to show the user with all data if not i have to display the data only relevant to that perticular user, where are we checking the second conditon in your DAX , i will give it a try and let you know

Hi @sumanthkakarla,

Thank you for your inquiry through the Microsoft Fabric Community Forum.

Implementing Row-Level Security (RLS) in Power BI for a large user base necessitates careful optimisation to maintain performance. Kindly follow the steps outlined below to enhance efficiency:

1. Establish relationships using integer keys instead of strings for efficient joins.Since this has already been implemented, you are on the right track.

2. Instead of using MAXX and FILTER, consider a more direct approach, as illustrated below:

   'NEW_ACCOUNT_MAP'[USERNAME] = USERPRINCIPALNAME() || 'NEW_ACCOUNT_MAP'[CLIENT_ACCOUNT_NUMBER] = "ALL"
   This expression verifies whether the logged-in user has access to specific accounts or all accounts directly, thereby reducing computational overhead.

3. If high granularity is unnecessary, aggregate data before importing to reduce processing load.
4. Measures are computed on demand, making them more efficient than calculated columns. Additionally, simplify DAX expressions to minimise the use of complex filters and calculations within measures.
5. Regularly track usage and assess user concurrency to prevent performance issues.
   

   
   For further reference, please visit:
   Row-level security (RLS) guidance in Power BI Desktop - Power BI | Microsoft Learn
   
   

   If this response is helpful, kindly mark it as the accepted solution and provide kudos to assist other community members.
   
   Thank you.