Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now! Learn more

Reply
Chewdata
Super User
Super User

RLS Filtering additional dimensions

‎12-09-2025 01:17 AM

Hello! 

I can use your help with a Row Level Security question. 

I have a model on which I applied RLS based on the UPN, which works fine.
RLS filters the table Team (bridge) which in turn filters Regelingen (dim) which filters Registraties (fact) and other facttables.

We also have the dimensions Behandelaar and Reviewer which both have a long list of employees. Both have a column Team which corresponts with the column team in table Team.

Chewdata_1-1765271384689.png


My question:
I would like to filter both the Behandelaar and Reviewer Dimensions based on the RLS filtered Teams, so users only see the Behandelaren and Reviewers from their own team in the slicers. I have tried to add Behandelaren[Team] IN VALUES(Team[Team]) and Reviewer[Team] IN VALUES(Team[Team]) in the UPN role. But that doesn't seem to do the trick.

 

What would be the correct and cleanest way to have the slicers based on Behandelaar and Reviewer show only employees from the team. There are multiple facttables in the model, so the dimensions are needed.

Chewdata_2-1765271672805.png

 

 

Labels:
Message 1 of 6
253 Views
0
1 ACCEPTED SOLUTION
xifeng_L
Super User
Super User

‎12-09-2025 01:27 AM

Hi @Chewdata 

 

Your approach is correct; you need to add restrictions for Behandelaren and Reviewers to the RLS role, but the expression you used is wrong.

 

You should first filter out the Teams permissions that the current user has, and then use those items to restrict Behandelaren and Reviewers.

 

In short, you need to change Behandelaren[Team] IN VALUES(Team[Team]) to:

 

 

VAR AccessTeamItems = 
    CALCULATETABLE(
        VALUES(RLS[Team]),
        RLS[UPN]=USENAME(),
        ALL()
    )
RETURN
Behandelaren[Team] IN AccessTeamItems
// Reviewers[Team] IN AccessTeamItems

 

 

Did I answer your question? If yes, pls mark my post as a solution and appreciate your Kudos !

 

Thank you~

View solution in original post

Message 3 of 6
233 Views
0
5 REPLIES 5
ChielFaber
Solution Specialist
Solution Specialist

‎12-09-2025 01:36 AM

The cleanest solution is to let the data model do the work rather than trying to force it with VALUES() inside the RLS role.

Your RLS already works like this:

RLS (UPN) → Team → Regelingen → Registraties (+ other facts)

To ensure Behandelaar and Reviewer are filtered the same way, simply connect them to Team as well:

  • Relationship: Team[Team] (1) → Behandelaar[Team] (*)

  • Relationship: Team[Team] (1) → Reviewer[Team] (*)

  • Cross-filter direction: Single (from Team to the dimension is enough)

Keep your RLS as it is on the RLS/Users table (RLS[UPN] = USERPRINCIPALNAME()).

Since RLS already filters the Team table, that filter will automatically propagate through these relationships and restrict both dimensions. Your slicers for Behandelaar and Reviewer will then only show employees from the allowed teams—without needing extra DAX conditions.

So the key is: solve it in the model, not in the VALUES() expression.

 

RLS (Users)
|
| 1:* (RLS filters Team via UPN → Team mapping)
v
Team
├── 1:* → Regelingen → 1:* → Registraties
├── 1:* → Behandelaar
└── 1:* → Reviewer


[Tip] Keep CALM and DAX on.
[Solved?] Hit “Accept as Solution” and leave a Kudos.
[About] Chiel | SuperUser (2023–2) |
Message 5 of 6
223 Views
0
xifeng_L
Super User
Super User
In response to ChielFaber

‎12-09-2025 01:42 AM

It looks like an AI answer, Teams cannot be connected to the Behandelaren or Reviewers tables because they will eventually control the Registries table, which will result in an error. Because there can only be one relationship path between two tables.

Message 6 of 6
220 Views
0
xifeng_L
Super User
Super User

‎12-09-2025 01:27 AM

Hi @Chewdata 

 

Your approach is correct; you need to add restrictions for Behandelaren and Reviewers to the RLS role, but the expression you used is wrong.

 

You should first filter out the Teams permissions that the current user has, and then use those items to restrict Behandelaren and Reviewers.

 

In short, you need to change Behandelaren[Team] IN VALUES(Team[Team]) to:

 

 

VAR AccessTeamItems = 
    CALCULATETABLE(
        VALUES(RLS[Team]),
        RLS[UPN]=USENAME(),
        ALL()
    )
RETURN
Behandelaren[Team] IN AccessTeamItems
// Reviewers[Team] IN AccessTeamItems

 

 

Did I answer your question? If yes, pls mark my post as a solution and appreciate your Kudos !

 

Thank you~

Message 3 of 6
234 Views
0
Chewdata
Super User
Super User
In response to xifeng_L

‎12-09-2025 02:11 AM

Yes this totaly did the trick, thanks a lot!

Message 4 of 6
198 Views
0
rohit1991
Super User
Super User

‎12-09-2025 01:19 AM

Hii @Chewdata 

 

Add separate RLS rules on Behandelaar and Reviewer tables using [Team] IN VALUES(Team[Team]) so they inherit the same Team restriction created by the UPN filter on the Team table; this is the cleanest and supported way to make the slicers show only employees from the user’s own team.


Did it work? ✔ Give a Kudo • Mark as Solution – help others too!
Message 2 of 6
249 Views
0

Helpful resources

Announcements
Power BI DataViz World Championships

Power BI Dataviz World Championships

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now!

December 2025 Power BI Update Carousel

Power BI Monthly Update - December 2025

Check out the December 2025 Power BI Holiday Recap!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All