Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Calling all Data Engineers! Fabric Data Engineer (Exam DP-700) live sessions are back! Starting October 16th. Sign up.

Reply
akhatri
Helper I
Helper I

Row Level Security for company hierarchy

‎08-05-2020 03:24 PM

Hi 

 

I am trying to implement row level security but for it to work based on the Geo, Region and District (GRD) they look after and for Senior VP's for them to have open access to all data.

 

I have a tab which contains all the GRD structure which is used to filter all data, and a table with all Users and the GRD they should have access to.

 

Structure.JPG

 

SEC TABLE

User Email | Key

A | EMEANorthern Region

B | EMEA

C | EMEANorthern RegionUK & Ireland

D | 

 

GRD TABLE

Geo | Region | District | Key

EMEA | Northern Region | | EMEANorthern Region

EMEA | Northern Region | UK & Ireland | EMEANorthern RegionUK & Ireland

EMEA | | | EMEA

 

I want User A to see Northern Region and all district below so in this case UK & Ireland

I want User B to all of EMEA data including all Regions and Districts

I want User C to only see data for the district of UK & Ireland

I want User D to see all Geos, Regions and Districts

 

Is this possible?

 

Thanks

Atish

Labels:
Message 1 of 5
999 Views
0
1 ACCEPTED SOLUTION
v-zhenbw-msft
Community Support
Community Support

‎08-05-2020 11:37 PM

Hi @akhatri ,

 

For Dynamic Row Level Security, maybe you can refer the following blogs.

 

https://www.blue-granite.com/blog/using-dynamic-row-level-security-with-organizational-hierarchies

https://radacad.com/dynamic-row-level-security-with-organizational-hierarchy-power-bi

https://radacad.com/dynamic-row-level-security-in-power-bi-with-organizational-hierarchy-and-multipl...

 

In addition, RLS has some limitations, please refer this document.

 

https://docs.microsoft.com/en-us/power-bi/admin/service-admin-rls#manage-security-on-your-model

 

BTW, RLS will not work if the users have edit access to the report. They will see all the data.

 

Best regards,

 

Community Support Team _ zhenbw

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

Message 5 of 5
923 Views
0
4 REPLIES 4
v-zhenbw-msft
Community Support
Community Support

‎08-05-2020 11:37 PM

Hi @akhatri ,

 

For Dynamic Row Level Security, maybe you can refer the following blogs.

 

https://www.blue-granite.com/blog/using-dynamic-row-level-security-with-organizational-hierarchies

https://radacad.com/dynamic-row-level-security-with-organizational-hierarchy-power-bi

https://radacad.com/dynamic-row-level-security-in-power-bi-with-organizational-hierarchy-and-multipl...

 

In addition, RLS has some limitations, please refer this document.

 

https://docs.microsoft.com/en-us/power-bi/admin/service-admin-rls#manage-security-on-your-model

 

BTW, RLS will not work if the users have edit access to the report. They will see all the data.

 

Best regards,

 

Community Support Team _ zhenbw

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 5 of 5
924 Views
0
lbendlin
Super User
Super User

‎08-05-2020 03:50 PM

Are you planning to create a role per key?  And do you have a table that maps email addresses to keys?

Message 2 of 5
968 Views
0
akhatri
Helper I
Helper I
In response to lbendlin

‎08-05-2020 04:48 PM

No I was not planning on doing that, was looking to utilise the email address and userprincipal name method which an option to filter it to the users accesa level.

 

Yes i do have anothet table which just contains just a list of the variations of keys.

Message 3 of 5
960 Views
0
lbendlin
Super User
Super User
In response to akhatri

‎08-05-2020 05:09 PM

At the very minimum you need

 

- one role that contains all users (can use PDLs for membership management)

- a reference table with user email and key. This reference table must sit at the outer edge of the star schema, and must control all its children dimensions and the fact tables downstream via the key

- a DAX rule for the defined role and the reference table that matches the user email to USERPRINCIPALNAME()

 

But that's the bare minimum and does not give you much wiggling room.

Message 4 of 5
948 Views
0

Helpful resources

Announcements
FabCon Global Hackathon Carousel

FabCon Global Hackathon

Join the Fabric FabCon Global Hackathon—running virtually through Nov 3. Open to all skill levels. $10,000 in prizes!

September Power BI Update Carousel

Power BI Monthly Update - September 2025

Check out the September 2025 Power BI update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All