Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Don't miss out! 2025 Microsoft Fabric Community Conference, March 31 - April 2, Las Vegas, Nevada. Use code MSCUST for a $150 discount. Prices go up February 11th. Register now.

Reply
PoojaG
Helper II
Helper II

Proxy user for dynamic row level security with organizational hierarchy

‎04-01-2024 12:34 PM

Hello,

Overview: I created a report which uses Path function to get the org hierarchy structure and based on that I created a User role with the below dax formula: 

pathcontains([path],userprincipalname()) && [EMAIL_ADDR] <> userprincipalname()

This allows the user to see data only under his org.

Problem: There are few users at CEO level who may or may not open this report even though they have access but have their Chief of Staff to view the report for them. I have the manual list of such users which I can import.

Question: How do I incorporate another condition in the above dax query to allow proxy users (Chief of staff) to access the report only for their corresponding CEO's?

thank you!

Labels:
Message 1 of 7
401 Views
0
1 ACCEPTED SOLUTION
PoojaG
Helper II
Helper II

‎04-05-2024 12:27 PM

I was able to find a solution. 

  • I created a Proxy users table with the list of email ids who needed a proxy users to access on thier behalf. it's a simple table with two columns. Email id and Proxy email id. 
  • On the Master user table where I already had a path function, I created a calculated column as below: Level 2 = LOOKUPVALUE(Master[EMAIL_ADDR], Master[EMAIL_ADDR], PATHITEM(Master[Path],2,TEXT))This basically breaks down the Path and returns the 2nd level from the path where the proxy users will be needed.
  • created a relationship between the Proxy user and Master table (1:M)
  • On othe master table, created a calculated column Proxy user = IF(PATHCONTAINS(Master[path],RELATED('Proxy users'[email address])) && Master[EMAIL_ADDR] <> RELATED('Proxy users'[email address]),RELATED('Proxy users'[Proxy email]),RELATED('Proxy users'[email address]))
  • Finally, created a new role called Proxy user and filtered on the master table where [Proxy user] = userprincipalname()

It works perfectly!

 

 

 

View solution in original post

Message 7 of 7
296 Views
0
6 REPLIES 6
PoojaG
Helper II
Helper II

‎04-05-2024 12:27 PM

I was able to find a solution. 

  • I created a Proxy users table with the list of email ids who needed a proxy users to access on thier behalf. it's a simple table with two columns. Email id and Proxy email id. 
  • On the Master user table where I already had a path function, I created a calculated column as below: Level 2 = LOOKUPVALUE(Master[EMAIL_ADDR], Master[EMAIL_ADDR], PATHITEM(Master[Path],2,TEXT))This basically breaks down the Path and returns the 2nd level from the path where the proxy users will be needed.
  • created a relationship between the Proxy user and Master table (1:M)
  • On othe master table, created a calculated column Proxy user = IF(PATHCONTAINS(Master[path],RELATED('Proxy users'[email address])) && Master[EMAIL_ADDR] <> RELATED('Proxy users'[email address]),RELATED('Proxy users'[Proxy email]),RELATED('Proxy users'[email address]))
  • Finally, created a new role called Proxy user and filtered on the master table where [Proxy user] = userprincipalname()

It works perfectly!

 

 

 

Message 7 of 7
297 Views
0
lbendlin
Super User
Super User

‎04-01-2024 05:01 PM

That sounds more like static RLS.  In dynamic RLS scenarios you usually have a mapping table that list all permissions for each user separately, and allows you to handle such proxy scenarios with ease.

Message 2 of 7
364 Views
0
PoojaG
Helper II
Helper II
In response to lbendlin

‎04-04-2024 08:00 AM

I want the dynamic rls to be still in-tact. So perhaps create a separate report for proxy users and apply static rls. Do you have any document I can follow to execute this?  

Message 3 of 7
332 Views
0
lbendlin
Super User
Super User
In response to PoojaG

‎04-04-2024 09:14 AM

That's what I am saying - go full dynamic RLS. Have a reference table with all the permissions for all the users.

Message 4 of 7
320 Views
0
PoojaG
Helper II
Helper II
In response to lbendlin

‎04-04-2024 10:59 AM

I'm sorry, I'm not following. Currently I have created one role as "User" with the below formula:

pathcontains([path],userprincipalname()) && [EMAIL_ADDR] <> userprincipalname()

query for path is simple = path(EMAIL_ADDR, manager_email)

Access is provided only to leadership roles. but for some leaders, we want to provide access to their chief of staff (proxy users) to view the report on their behalf if they are not able to for some reason. 

How do I embed this additional condition to the dax for the role created? 

or shall I create another role for proxy users? 

Message 5 of 7
313 Views
0
lbendlin
Super User
Super User
In response to PoojaG

‎04-04-2024 11:14 AM

What you are doing is not dynamic RLS. It's something in between.  Dynamic RLS maps a USERPRINCIPALNAME() to a reference table that holds all permissions.

Message 6 of 7
310 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

December 2024

A Year in Review - December 2024

Find out what content was popular in the Fabric community during 2024.

View All