Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

View all the Fabric Data Days sessions on demand. View schedule

Reply
_chris_
Helper III
Helper III

RLS question

‎04-06-2024 12:30 AM

Hi,

 

I need an RLS expression which I want to assign to a table and which has these rules:

 

Condition 1: [Field A] = "blabla"

OR

Condition 2: [CostCenter] = ...

 

 

Condition 2 is hard for me to even explain:

 

1. Lookup the PersonnelID of the USERPRINCIPAL. For this, I have the code:

LOOKUPVALUE(dimEmployee[StaffId],  dimEmployee[EMail], CONCATENATE(LEFT(USERPRINCIPALNAME(), FIND("@", USERPRINCIPALNAME())), "mydomain.de"))
2. Now with the StaffId lookup another table which has the access rights for StaffId towards CostCensters
 
StaffId, CostCenter
 
One StaffId can have the right to access the data of multiple cost centers.
 
Thx for you help
 
Christian
 

 

 

Labels:
Message 1 of 5
797 Views
0
1 ACCEPTED SOLUTION
AnalyticsWizard
Solution Supplier
Solution Supplier

‎04-07-2024 01:05 AM

@_chris_ 

 

To implement the Row-Level Security (RLS) with the conditions you’ve mentioned, you can use the following DAX expression:

[Field A] = "blabla" || 
LOOKUPVALUE(
    dimAccessRights[CostCenter], 
    dimAccessRights[StaffId], 
    LOOKUPVALUE(
        dimEmployee[StaffId],  
        dimEmployee[EMail], 
        CONCATENATE(LEFT(USERPRINCIPALNAME(), FIND("@", USERPRINCIPALNAME())), "mydomain.de")
    )
) = [CostCenter]

This expression checks if Field A is “blabla” or if the CostCenter associated with the StaffId (which is looked up using the USERPRINCIPALNAME) matches the CostCenter in the current row of the table.

Please replace dimAccessRights with the actual name of your access rights table. Also, ensure that the relationships between the tables are correctly set up in your data model.

Remember, RLS filters are applied at the row level and are always enforced in the context of the user viewing the report. Therefore, the data returned by this expression will be different for each user based on their USERPRINCIPALNAME.

I hope this helps! Let me know if you have any other questions. 😊

View solution in original post

Message 4 of 5
739 Views
4 REPLIES 4
AnalyticsWizard
Solution Supplier
Solution Supplier

‎04-07-2024 01:05 AM

@_chris_ 

 

To implement the Row-Level Security (RLS) with the conditions you’ve mentioned, you can use the following DAX expression:

[Field A] = "blabla" || 
LOOKUPVALUE(
    dimAccessRights[CostCenter], 
    dimAccessRights[StaffId], 
    LOOKUPVALUE(
        dimEmployee[StaffId],  
        dimEmployee[EMail], 
        CONCATENATE(LEFT(USERPRINCIPALNAME(), FIND("@", USERPRINCIPALNAME())), "mydomain.de")
    )
) = [CostCenter]

This expression checks if Field A is “blabla” or if the CostCenter associated with the StaffId (which is looked up using the USERPRINCIPALNAME) matches the CostCenter in the current row of the table.

Please replace dimAccessRights with the actual name of your access rights table. Also, ensure that the relationships between the tables are correctly set up in your data model.

Remember, RLS filters are applied at the row level and are always enforced in the context of the user viewing the report. Therefore, the data returned by this expression will be different for each user based on their USERPRINCIPALNAME.

I hope this helps! Let me know if you have any other questions. 😊

Message 4 of 5
740 Views
_chris_
Helper III
Helper III
In response to AnalyticsWizard

‎04-07-2024 01:24 AM

Hi,

 

I am super happy, because you really understood what I need and it works during the first attempt (Ahem, I have to admit that I got an error first and needed to change one relation).

 

Thanks a lot and have a great sunday!

 

Christian

 

P.S.: I will try to analyze what you did so that in addition to a solution I also will learn something 😉

Message 5 of 5
737 Views
0
Wilson_
Super User
Super User

‎04-06-2024 03:55 PM

Hi Chris,


Can you share what your data model looks like? That's a fairly important piece of the puzzle when talking about row level security.




Did I answer your question? Mark my post as a solution!

Proud to be a Super User!



Message 2 of 5
762 Views
0
_chris_
Helper III
Helper III
In response to Wilson_

‎04-06-2024 11:44 PM

Hi Wilson, Thanks for getting back to me.

 

At the moment, it works like this:

 

The RLS formula is for the FilterUser table: 

[PersonalId]=LOOKUPVALUE(dimMitarbeiter[PersonalId],  dimMitarbeiter[EMail], CONCATENATE(LEFT(USERPRINCIPALNAME(), FIND("@", USERPRINCIPALNAME())), "xxx.de"))
 
This table filters the dimKstRechte table. Here I have multiple line per employee saying for an employee which cost centers he is allowed to see.
 
This table filters the cost center table which finally filters the actual fact table holding the real data.
 
This works since years.
 
Now I have a new requirement: Certain records of the fact table should be seen by everyone. This new rule can be easily describend with [KstAuswertung1]="bla".
 
This could be achieved by appending many rows per employee to the dimKstRechte table, because also the row for the new criteria do have a certain cost center. But that would be too much work and is not easy to maintain.
 
So my idea is not to use this filter chain anymore but to directly put an RLS formula to the fact table.
 
I hope you can understand my way of thinking and help me.
 
Thx, Christian 
 

_chris__0-1712472228456.png

 

Message 3 of 5
747 Views
0

Helpful resources

Announcements
November Power BI Update Carousel

Power BI Monthly Update - November 2025

Check out the November 2025 Power BI update to learn about new features.

Fabric Data Days Carousel

Fabric Data Days

Advance your Data & AI career with 50 days of live learning, contests, hands-on challenges, study groups & certifications and more!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All