Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get inspired! Check out the entries from the Power BI DataViz World Championships preliminary rounds and give kudos to your favorites. View the vizzies.

Reply
raschaoot
Frequent Visitor

RLS to filter ONLY the dimension table

‎02-15-2025 12:13 AM

I have a question that to me seems like a common use case, but after a few hours of googling and endless youtube videos I somehow have not found the answer.

 

I have a semantic model (Microsoft Fabric, Direct Lake, fixed identity) with a few dozen tables around a central fact table with performance data (revenues, sales, hours, etc). Pretty standard dimensions like clients, opportunities, projects, etc. Key point is that all this performance data is in principe public to everyone with access to the model.


Exception is that one of the dimension tables is itself a mapping table (dubbed "- HR reporting" below) with identifiers that in turn link to other dimension tables with people data. Some of these are public - viewable to all, e.g. department or function title - and others are restricted to the reporting line - e.g. contract info, individual targets or salaries - or even to just HR (e.g. privacy sensitive data). Illustrated below.

raschaoot_1-1739606805742.png

 

How do I setup RLS in such a way that it filters the private dimension tables only, but does not filter the "- HR reporting" mapping table? I still want the people and their public data to show up, just not not their private info.

The only case I found working is when cardinality of a relationship is N:N, in which case I can change the filter direction to the reverse. But I'm not sure this is what I want either, as this wouldn't allow a line manager to select a dimension in that table to see the performance of just people that satisfy the selected criteria.


Ideally I'd avoid making duplicate semantic models, because there is another two dozen tables and corresponding measures of which a large part would have to be duplicated and maintained. In the end it's all about slicing performance data, in which managers have more visibility for their own reporting line.

 

So... is there no RLS option "do not cascade to relationships" or something along those lines? Or do I need a different setup to achieve what I need? 

 

Hope you can help - thanks 🙂

Labels:
Message 1 of 7
252 Views
0
6 REPLIES 6
danextian
Super User
Super User

‎02-15-2025 01:50 AM

Hi @raschaoot 

When RLS is applied to a dimension that has relationships flowing to other tables, it will also extend to those other tables so you cannot restrict it just to that dimension table alone.





Dane Belarmino | Microsoft MVP | Proud to be a Super User!

Did I answer your question? Mark my post as a solution!


"Tell me and I’ll forget; show me and I may remember; involve me and I’ll understand."
Need Power BI consultation, get in touch with me on LinkedIn or hire me on UpWork.
Learn with me on YouTube @DAXJutsu or follow my page on Facebook @DAXJutsuPBI.
Message 7 of 7
206 Views
nilendraFabric
Community Champion
Community Champion

‎02-15-2025 01:46 AM

Hello @raschaoot 

 

The core challenge is that in Microsoft Fabric (as in Power BI), row‐level security filters are applied across active relationships in your model. This means that when you define a filter on a sensitive or “private” dimension table, that filter typically propagates to related tables—including your mapping (“– HR reporting”) table—without a built‐in option to stop the cascade.

 

Rather than applying RLS on the entire table, you might consider creating DAX measures that test user permissions and selectively return values. This approach can bypass unwanted filter propagation

if this is helpful please give kudos and accept the answer 

Message 2 of 7
208 Views
0
raschaoot
Frequent Visitor
In response to nilendraFabric

‎02-15-2025 03:50 AM

Thanks for the response. At least that confirms my suspicions, otherwise there would have been a "don't cascade security filter" option in the relationship settings.

 

Let's say a user pulls in contract type (a restricted field) - normal business user should see blank dimensions but still the total, whereas a manager should see the split for own reporting line and a blank for the rest. I can't use DAX to affect the dimension values, correct (as calculated columns are not supported in Direct Lake - but in any case there would be too many)? Or, if I'm mistaken, can you point me to an example?

 

If this not possible, I suppose splitting the models is the only way. 

 

Thanks again!

Message 3 of 7
178 Views
nilendraFabric
Community Champion
Community Champion
In response to raschaoot

‎02-15-2025 04:31 AM
  • you are correct that you cannot use DAX-calculated columns in Direct Lake mode. This is because calculated columns are not supported in Direct Lake semantic models due to performance and architectural constraints

Just a thought 

 

if possible Move the logic for restricted fields (e.g., contract type visibility) to your data warehouse or ETL pipeline. Create a column that pre-defines whether a user sees “blank” or actual values based on their role.
• For example:
• Add a column like `VisibleContractType` in your source table that outputs either the contract type (for managers) or `NULL`/blank (for normal users).
• This avoids reliance on calculated columns in Direct Lake while ensuring the logic is handled efficiently.

 

if this helps please accept the answer and give kudos

Message 4 of 7
156 Views
raschaoot
Frequent Visitor
In response to nilendraFabric

‎02-16-2025 10:09 PM

Hey, thanks for chipping in again. I'm not sure I follow.

 

I have lots of users, each with access to rows depending on another mapping table (the reporting line, not yet visualized), and the pipeline itself is obviously not user-aware. Would your suggestion involve that I duplicate the data for every possibility basically?

Message 5 of 7
89 Views
0
v-xinc-msft
Community Support
Community Support
In response to raschaoot

‎03-04-2025 06:57 PM

Hi @raschaoot ,

nilendraFabric's suggestion was to move the logic for restricted fields into a data warehouse or ETL pipeline and create a column to predefine whether a user sees actual or blank values based on user role. This is a great way to avoid dependency on calculated columns in Direct Lake while ensuring the logic is handled efficiently. This suggestion doesn't necessarily mean you need to replicate the data for each possibility.

You could create a mapping table in your data warehouse or ETL pipeline that contains user roles and the types of contracts they can access. This way, you can dynamically filter data based on user roles at query time, without having to replicate the data for each possibility.

Or create views in the data warehouse to filter data based on user roles. Views can dynamically generate datasets without actually copying the data.

Also try pre-processing the data based on user roles during the ETL process and storing the results in a new table. This ensures that the data has been filtered based on user roles when it is loaded into the data warehouse.

Best regards,

Lucy Chen

Message 6 of 7
32 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

FebPBI_Carousel

Power BI Monthly Update - February 2025

Check out the February 2025 Power BI update to learn about new features.

Feb2025 NL Carousel

Fabric Community Update - February 2025

Find out what's new and trending in the Fabric community.

View All
Top Kudoed Authors
View All