Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now! Learn more

Reply
IzBell
Frequent Visitor

Row Level Security based on organisation structure - multiple conditions

‎03-09-2025 05:29 PM

Hi Power BI Community,

 

I need some guidance on setting up Row-Level Security. I have two tables as below.
RLS table:

Employee IDEmailView All?Org UnitTeamDepartmentCountryOrg Unit - ExclusionTeam - ExclusionDepartment - ExclusionFunction - ExclusionRole - Exclusion
123a@x.com BrandMarketing Canada     
123a@x.com BrandMarketing USA     
456b@x.comY         
789c@x.com BrandMarketing Canada   HRHR Manager
789c@x.com BrandMarketing USA   HRHR Manager
345d@x.com InnovationTechAI      
578e@x.com InnovationTechAI    HRHR Manager
255f@x.com InnovationTech    AI  
190g@x.com DCRetail Singapore   HRHR Manager
285h@x.com DC    Retail HRHR Manager

 


Data table:

Employee IDAmountOrg UnitTeamDepartmentCountryFunctionRole
101100BrandMarketingCommCanadaHRHR Manager
102100BrandMarketingCommUSAFinanceFinance Manager
103100BrandMarketingCommSingaporeITIT Manager
104100InnovationTechAICanadaHRHR Manager
105100InnovationTechAIUSAFinanceFinance Manager
106100InnovationTechAISingaporeITIT Manager
107100DCRetailStoreCanadaHRHR Manager
108100DCRetailStoreUSAFinanceFinance Manager
109100DCRetailStoreSingaporeITIT Manager
110100DCCIPackagingCanadaHRHR Manager
111100DCCIPackagingUSAFinanceFinance Manager
456100DCCIPackagingSingaporeITIT Manager

 

 

Here's what I want to achieve with RLS:

  1. Users with the "View All?" flag set to "Y" should have access to all data.
  2. Users with specific columns filled in should only see the corresponding data, except when the "Exclusion" column is filled.
  3. Users should not be able to see their own records.
  4. Users who do not meet any of these conditions should not see any data.

Your help would be much appreciated.

 

Many thanks,

IzBell

Labels:
Message 1 of 7
528 Views
6 REPLIES 6
Anonymous
Not applicable

‎03-11-2025 11:59 PM

Hi @IzBell ,

Please try the formula below:

VAR CurrentUser = USERPRINCIPALNAME()

 // Read the current user’s values from the RLS table
 VAR ViewAllFlag =
  CALCULATE( MAX( 'RLS'[View All?] ),
   FILTER( 'RLS', 'RLS'[Email] = CurrentUser )
  )

 VAR RLS_EmployeeID =
  CALCULATE( MAX( 'RLS'[Employee ID] ),
   FILTER( 'RLS', 'RLS'[Email] = CurrentUser )
  )

 VAR AllowedOrgUnit =
  CALCULATE( MAX( 'RLS'[Org Unit] ),
   FILTER( 'RLS', 'RLS'[Email] = CurrentUser )
  )
 VAR ExcludedOrgUnit =
  CALCULATE( MAX( 'RLS'[Org Unit - Exclusion] ),
   FILTER( 'RLS', 'RLS'[Email] = CurrentUser )
  )

 VAR AllowedTeam =
  CALCULATE( MAX( 'RLS'[Team] ),
   FILTER( 'RLS', 'RLS'[Email] = CurrentUser )
  )
 VAR ExcludedTeam =
  CALCULATE( MAX( 'RLS'[Team - Exclusion] ),
   FILTER( 'RLS', 'RLS'[Email] = CurrentUser )
  )

 VAR AllowedDepartment =
  CALCULATE( MAX( 'RLS'[Department] ),
   FILTER( 'RLS', 'RLS'[Email] = CurrentUser )
  )
 VAR ExcludedDepartment =
  CALCULATE( MAX( 'RLS'[Department - Exclusion] ),
   FILTER( 'RLS', 'RLS'[Email] = CurrentUser )
  )

 // (Similarly do for Function and Role if needed)
 VAR ExcludedFunction =
  CALCULATE( MAX( 'RLS'[Function - Exclusion] ),
   FILTER( 'RLS', 'RLS'[Email] = CurrentUser )
  )
 VAR ExcludedRole =
  CALCULATE( MAX( 'RLS'[Role - Exclusion] ),
   FILTER( 'RLS', 'RLS'[Email] = CurrentUser )
  )

 // Build the allowed conditions for dimension matches.
 // If an allowed value is provided then only matching rows will be visible.
 // Also, if an exclusion value exists, rows with that value get filtered out.
 VAR OrgUnitCondition =
  ( ISBLANK( AllowedOrgUnit ) || 'Data'[Org Unit] = AllowedOrgUnit )
   && ( ISBLANK( ExcludedOrgUnit ) || 'Data'[Org Unit] <> ExcludedOrgUnit )

 VAR TeamCondition =
  ( ISBLANK( AllowedTeam ) || 'Data'[Team] = AllowedTeam )
   && ( ISBLANK( ExcludedTeam ) || 'Data'[Team] <> ExcludedTeam )

 VAR DepartmentCondition =
  ( ISBLANK( AllowedDepartment ) || 'Data'[Department] = AllowedDepartment )
   && ( ISBLANK( ExcludedDepartment ) || 'Data'[Department] <> ExcludedDepartment )

 VAR FunctionAndRoleExclusion =
  ( ISBLANK( ExcludedFunction ) || 'Data'[Function] <> ExcludedFunction )
   && ( ISBLANK( ExcludedRole ) || 'Data'[Role] <> ExcludedRole )

 RETURN
  // A row is visible if either the user is a “view all” user,
  // OR if all the matching conditions are met,
  // AND the Data row does not belong to the current user.
  ( ViewAllFlag = "Y" ||
   ( OrgUnitCondition &&
    TeamCondition &&
    DepartmentCondition &&
    FunctionAndRoleExclusion )
  )
  && ('Data'[Employee ID] <> RLS_EmployeeID)

Best Regards

Message 2 of 7
484 Views
0
IzBell
Frequent Visitor
In response to Anonymous

‎03-12-2025 02:53 PM

Hi @Anonymous 

Thank you very much for your reply.

The formula is very close, but two users are not getting the expected results.


For a@x.com

  • it picks up 3 records rather than 2.

IzBell_0-1741815834493.png

  • Expected result - it should not include Singapore.

IzBell_1-1741815871902.png

 

For h@x.com

  • it picks up 2 records rather than 5.

IzBell_2-1741815980143.png

  • Expected result - it should only exclude record where DC + Result + HR + HR Manager.

IzBell_3-1741816181947.png


Kind regards,

IzBell

Message 3 of 7
473 Views
0
v-aatheeque
Community Support
Community Support
In response to IzBell

‎05-04-2025 07:46 AM

Hi @IzBell ,

For the above scenario for  a@x.com

  • This was happening because your email has multiple access entries in the RLS table (e.g., one for Canada and one for USA). However, the previous rule was only picking one row instead of combining them.

h@x.com seeing 2 records instead of 5

  • This user had several exclusion conditions like Team, Org Unit, Role, etc. Earlier, these were getting mixed together, which caused valid rows to be hidden.
  • Ensure that each exclusion rule is treated separately data is only excluded if it matches all conditions from any one exclusion row, which is the correct behavior.

Hope this helps !

If this post was helpful, please consider marking Accept as solution to assist other members in finding it more easily.

If you continue to face issues, feel free to reach out to us for further assistance!

 



Message 4 of 7
402 Views
0
v-aatheeque
Community Support
Community Support
In response to v-aatheeque

‎05-08-2025 04:18 AM

Hi @IzBell ,

We haven’t heard back from you regarding our previous response and wanted to check if your issue has been resolved.

If it has, please consider clicking “Accept Answer” and “Yes” if you found the response helpful.
If you still have any questions or need further assistance, feel free to let us know — we're happy to help!

Thank you!

 

Message 5 of 7
387 Views
0
v-aatheeque
Community Support
Community Support
In response to v-aatheeque

‎05-18-2025 10:53 AM

Hi @IzBell ,

Hi @nanacobsbs ,

Has your issue been resolved? If a community member's response addressed your query, please consider marking it as Accepted Answer and click Yes if you found it helpful.

If you have any further questions, feel free to reach out.
Thank you for being a valued member of the Microsoft Fabric Community Forum!

Message 6 of 7
376 Views
0
v-aatheeque
Community Support
Community Support
In response to v-aatheeque

‎06-07-2025 08:01 AM

Hi @IzBell 

just checking in on your query regarding Row-Level-Security-based-on-organisation-structure-multiple.

If his suggestion helped resolve the issue, please consider marking it as the Accepted Answer, as it can be useful to others who may face a similar situation.

Should you still need assistance or have further questions, feel free to reply with more details — we're here to help.

 

Thanks once again for being part of the Microsoft Fabric Community!

Message 7 of 7
356 Views
0

Helpful resources

Announcements
Power BI DataViz World Championships

Power BI Dataviz World Championships

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now!

December 2025 Power BI Update Carousel

Power BI Monthly Update - December 2025

Check out the December 2025 Power BI Holiday Recap!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All