Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get Fabric Certified for FREE during Fabric Data Days. Don't miss your chance! Request now

Reply
xred11
New Member

Row Level Security conflict with business logic

‎06-24-2021 08:25 AM

Hi, New to Power BI and I hope someone can suggest a solution to this problem:

I have 3 tables (see below for sample) and need to implement row level security:

 

BRANCH (branchcode, branchname)

  • 123, branch123
  • 234, branch234
  • 345, branch345

TRANSACTION (branchcode, type, [other stuff...])

  • 123, 1, ...
  • 123, 1, ...
  • 345, 2, ...

USER_BRANCH (user, branchcode)

BRANCH is on the "one" side of 1:* relationships in the model with the other 2

The RLS we want is that user should equal userprincipalname().  We have it working fine if we have a branchcode for the user ([user] = userprincipalname() or something like that), BUT

 

HERE'S THE PROBLEM:

The business logic used in the app states that if a user doesn't have a branchcode (they're blank) then they have access to ALL the branches.  These users would be in a home office that needs to see all transactions no matter what the branch.

 

The only solution I'm seeing is adding every combination of "blank" users for all the branches, but that will add 50,000 records and I am not excited about that.  Does anyone have another solution?

Labels:
Message 1 of 3
548 Views
0
1 ACCEPTED SOLUTION
xred11
New Member

‎06-24-2021 10:10 AM

OK, I got it working without getting into groups assigned to multiple roles.

  1. I turned off security filtering in both directions between BRANCH and USER_BRANCH
  2. I added this filter to the role on BRANCH:
    OR(
    contains (USER_BRANCH, [branchcode], "", [user], userprinicalname())
    ,contains (USER_BRANCH, [branchcode], [branchcode], [user], userprinicalname())
    )

 

View solution in original post

Message 3 of 3
505 Views
0
2 REPLIES 2
xred11
New Member

‎06-24-2021 10:10 AM

OK, I got it working without getting into groups assigned to multiple roles.

  1. I turned off security filtering in both directions between BRANCH and USER_BRANCH
  2. I added this filter to the role on BRANCH:
    OR(
    contains (USER_BRANCH, [branchcode], "", [user], userprinicalname())
    ,contains (USER_BRANCH, [branchcode], [branchcode], [user], userprinicalname())
    )

 

Message 3 of 3
506 Views
0
xred11
New Member

‎06-24-2021 08:40 AM

Would this work?  Put the "blank" users in a role/group that doesn't have the filter on that field?

Message 2 of 3
540 Views
0

Helpful resources

Announcements
November Power BI Update Carousel

Power BI Monthly Update - November 2025

Check out the November 2025 Power BI update to learn about new features.

Fabric Data Days Carousel

Fabric Data Days

Advance your Data & AI career with 50 days of live learning, contests, hands-on challenges, study groups & certifications and more!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All
Top Solution Authors
View All