Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Be one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now

Reply
z-rising
Frequent Visitor

RLS Security with 2 categories / restrictions

Currently I have a working report with RLS.  I am using emails for the security for users accessing through Power BI Service.  My RLS Table has names, divisions they can have access to, and emails for the columns, and flows through a division table to the master data - when someone logs on, they are allowed to see the divisions that are in the column next to their email in the RLS linked table (excel file for ease up update).  If they have multiple divisions they can have access to, their name/email will appear on multiple rows, on for each division they shold be ablt to access.  Works perfectly currently.

 

I have been asked to also restrict data from a specific account - right now a user can see all accounts in a division they have access to.  My guess on how to build this would be to create an account table similar to the division table, as well as add another column in the RLS table to link to the account table and have the RLS flow though it to the main data - if a user does not meet both, they will see nothing.

 

My concern is that I have been asked to exclude 1 account from 4 divisions out of 11, and there are 114 accounts, and about 50 users.  If I have to replicate a row for every user for every account, the RLS file will become unmanageable.

 

Is there an easier way to restrict one account from 4 divisions in RLS?

3 REPLIES 3
z-rising
Frequent Visitor

That would be amazing.

 

I've updated the RLS table as you suggested, so that users/emails in the 4 divisions have the account name in a 4th column called "Excluded Accounts"

 

Is this RLS DAX code for the RLS filter in Manage Roles after 1 [Email] == USERPRINCIPALNAME()?

aduguid
Super User
Super User

You could build it out as an excluded account. 

 

RLS Table Example:

Email Division ExcludedAccount

user1@example.comDivision1AccountA
user1@example.comDivision2 
user2@example.comDivision3AccountA
user2@example.comDivision4 
user3@example.comDivision1

 

RLS DAX Filter

 

[Division] IN VALUES(RLS[Division]) &&
(
    ISBLANK(RLS[ExcludedAccount]) ||
    NOT ([Account] = RLS[ExcludedAccount] && [Division] IN {"Division1", "Division2", "Division3", "Division4"})
)

 

 

I am getting the error: The synatax for '[Division]' is incorrect

 

Here is what I have in the Manage Security Roles DAX editor for the role I created on the RLS table

 

[Email] == USERPRINCIPALNAME()
[Division] IN VALUES (RLS[Division]) &&
(
    ISBLANK(RLS[ExcludedAccount]) ||
    NOT ([Account Name] = RLS[ExcludedAccount] && [Division] in {"North America", "South America", "Europe", "Asia"}
    )
 
I updated my RLS table to have 4 columns - "Username" "Division" "Email" "Excluded Account"
 
The RLS table has "Store Losses" in the ExcludedAccount column for every row that has either North America, South America, Europe, or Asia in the Division column.
 
The first line of code is obviously the original row level security to limit access based on email matching division (some users are repeated with more than one division)
 
The two data tables that everything comes from use the columns "Account Name" for the first and "Account Descrpition" for the second that I am trying to reference against, so I may need to do the code twice once it's working.
 
The only other thing I can think of is that the table the RLS flows through into the two data tables is named "Division II" becasue of replication from other table relationships, I just made a new one specifically for the RLS purpose.

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

Dec Fabric Community Survey

We want your feedback!

Your insights matter. That’s why we created a quick survey to learn about your experience finding answers to technical questions.

ArunFabCon

Microsoft Fabric Community Conference 2025

Arun Ulag shares exciting details about the Microsoft Fabric Conference 2025, which will be held in Las Vegas, NV.

December 2024

A Year in Review - December 2024

Find out what content was popular in the Fabric community during 2024.