Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Be one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now

Reply
CatoD
Helper I
Helper I

RLS - Give access to all data in one specified table, ignoring RLS rules

‎09-17-2024 03:51 AM

Hi,

 

Problem: 

There is already working RLS solution based on dimension with departments (eg. User X has access to Department D.01 etc.)

The report contains many KPI's, I need to give the user access to one of the KPI, to which his department doesn't have access.

The data for this KPI is in separated fact table. 

 

I could just give this user X access, to data from other departments, but that's not the solution i'm looking for.

 

The expected result is, that the user X has access to all the data for his department, and all the data for the KPI 'ABC' (which is available in other departments).

 

 

Labels:
Message 1 of 6
281 Views
0
1 ACCEPTED SOLUTION
amitchandak
Super User
Super User

‎09-17-2024 05:55 AM

@CatoD , Please find the file attached. You need small modifications to have other values. You can do that by subtracting the values Non All from All

 

I have done this item. Duplicated Item as Item New( You need to use all columns, I used one for column), then I created relation between RLS -> Item ALL -> Item. 

Hide the Item

and used only Item all in visual 

 

amitchandak_0-1726577662776.png

 

 

Join us as experts from around the world come together to shape the future of data and AI!
At the Microsoft Analytics Community Conference, global leaders and influential voices are stepping up to share their knowledge and help you master the latest in Microsoft Fabric, Copilot, and Purview.
️ November 12th-14th, 2024
 Online Event
Register Here

View solution in original post

AT Small RLS have all too.pbix
Message 4 of 6
225 Views
5 REPLIES 5
v-stephen-msft
Community Support
Community Support

‎09-20-2024 02:17 AM

Hi @CatoD ,

 

Everyone's insights are great. I just want to confirm that if you have solved it.

Please mark the helpful replies as solutions, so that more people will benefit from it.

Thanks.

 

Best Regards,

Stephen Tao

 

 

Message 6 of 6
190 Views
0
amitchandak
Super User
Super User

‎09-17-2024 05:55 AM

@CatoD , Please find the file attached. You need small modifications to have other values. You can do that by subtracting the values Non All from All

 

I have done this item. Duplicated Item as Item New( You need to use all columns, I used one for column), then I created relation between RLS -> Item ALL -> Item. 

Hide the Item

and used only Item all in visual 

 

amitchandak_0-1726577662776.png

 

 

Join us as experts from around the world come together to shape the future of data and AI!
At the Microsoft Analytics Community Conference, global leaders and influential voices are stepping up to share their knowledge and help you master the latest in Microsoft Fabric, Copilot, and Purview.
️ November 12th-14th, 2024
 Online Event
Register Here
AT Small RLS have all too.pbix
Message 4 of 6
226 Views
CatoD
Helper I
Helper I
In response to amitchandak

‎09-20-2024 07:54 AM

Thank you, your idea solved my issue.

So I did the following:
Since all fact tables in my data model consist of a column 'kpiName', I had to just create a technical dimension 'dRLS_KPI' with 2 columns: idKPI and kpiName.
The dimension should have all KPI names in the data model. Create a one-to-many relation with the fact tables.
Create another technical table ('dRLS_USERPRINCIPALNAME') with 2 columns: idKPI and userprincipalname.
There should be specified IDs of the KPIs the user should have access to and the USERPRINCIPALNAME.
Create a relation with the dimension 'dRLS_KPI'.
Last step is to create a viewing role, which filters 'dRLS_USERPRINCIPALNAME'.
Add the user to the new role.

Now the RLS works both ways: the user has access to the whole fact table for specified KPIs in 'dRLS_KPI' as well as for RLS created for the 'department' dimension.

Message 5 of 6
179 Views
0
Darui6
Frequent Visitor

‎09-17-2024 05:53 AM

Hi,

I suppose the department table also has a relation to that other fact table, otherwise there wouldnt be a problem.

 

So you could create a second copy of that fact table, and based on that copied table you can calculate the measure. Make sure to NOT connect that copied table. The the RLS should apply to the original table, but not to the copied one. You can create a copy as a calculated table like this:

Table_Copy = Addcolumns('OriginalTable', add here the columns you need)

 

Message 2 of 6
227 Views
0
CatoD
Helper I
Helper I
In response to Darui6

‎09-20-2024 07:36 AM

Thanks for an answer

 

Unfortunately it won't work in my situation, because, the data in fact table has to be connected to dimension of department.

So if visualisation of fact table uses column from dimension 'department', which is connected to RLS table, it won't work.

Message 3 of 6
182 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

Dec Fabric Community Survey

We want your feedback!

Your insights matter. That’s why we created a quick survey to learn about your experience finding answers to technical questions.

ArunFabCon

Microsoft Fabric Community Conference 2025

Arun Ulag shares exciting details about the Microsoft Fabric Conference 2025, which will be held in Las Vegas, NV.

December 2024

A Year in Review - December 2024

Find out what content was popular in the Fabric community during 2024.

View All