Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

July 7 - July 17 | Round 2 of the Power BI Dataviz World Championships. Don't miss your chance! Learn more

Reply
pgoum
Frequent Visitor

Row Level Security single role

Hey all!

 

I have a report concerning sales and salesmen. There exist 3 roles let's say depending on which every user can see different rows from the sales table. If a user has flag=0 or null then he/she can view everything. Otherwise we look at Items table and examine whether that user appears there. If yes then the user can view the rows that have item_group_code & item_subgroup_code that apply. Alternatively we look at the Customers table and if he/she appears there the user can view his/her customers sales only. 

The desired RLS case is to create a single role and assign all users there so that we don't have to switch from one role to another manually.

So far I have tried this condition on the sales table but it doesn't work.

 

IF (
    [user_logged_condition] = "View All",
    1 = 1,
    IF (
        [user_logged_condition] = "Items",
        Sales_Fact_View[key]
            = LOOKUPVALUE ( items_access[key_sales], items_access[email], [user_logged] ),
        IF (
            [user_logged_condition] = "Customers",
            Sales_Fact_View[customer]
                = LOOKUPVALUE (
                    customers_access[cust_code],
                    customers_access[email], [user_logged]
                ),
            1 = 0
        )
    )
)

 

I also share the pbix file I have created: RLS_oneRole.pbix 

 

Thanks,

Panos

1 ACCEPTED SOLUTION
d_gosbell
Super User
Super User

So your issue is that in both of your LOOKUPVALUE expressions that multiple values could be returned and this function will throw and error in this case. 

 

You could work around this as follows by adding a second lookup condition for the key_sales or cust_code respectively:

IF (
    [user_logged_condition] = "View All",
    1 = 1,
    IF (
        [user_logged_condition] = "Items",
        Sales_Fact_View[key]
            = LOOKUPVALUE ( items_access[key_sales]
                   , items_access[email], [user_logged] 
                   . items_access[key_sales], Sales_Fact_View[key]
              ),
        IF (
            [user_logged_condition] = "Customers",
            Sales_Fact_View[customer]
                = LOOKUPVALUE (
                    customers_access[cust_code],
                    customers_access[email], [user_logged],
                    customers_access[cust_code], Sales_Fact_View[customer]
                ),
            1 = 0
        )
    )
)

 

 But from a performance perpective I think a better approach would be to have 3 roles then setup 3 security groups and put one group in each role then add users to one of those groups. That way your role expressions can be simple (and therefore faster), they can be put on the smaller dim tables (and therefore will be faster) and you don't need to edit the roles, you just put users in the different security groups.

View solution in original post

1 REPLY 1
d_gosbell
Super User
Super User

So your issue is that in both of your LOOKUPVALUE expressions that multiple values could be returned and this function will throw and error in this case. 

 

You could work around this as follows by adding a second lookup condition for the key_sales or cust_code respectively:

IF (
    [user_logged_condition] = "View All",
    1 = 1,
    IF (
        [user_logged_condition] = "Items",
        Sales_Fact_View[key]
            = LOOKUPVALUE ( items_access[key_sales]
                   , items_access[email], [user_logged] 
                   . items_access[key_sales], Sales_Fact_View[key]
              ),
        IF (
            [user_logged_condition] = "Customers",
            Sales_Fact_View[customer]
                = LOOKUPVALUE (
                    customers_access[cust_code],
                    customers_access[email], [user_logged],
                    customers_access[cust_code], Sales_Fact_View[customer]
                ),
            1 = 0
        )
    )
)

 

 But from a performance perpective I think a better approach would be to have 3 roles then setup 3 security groups and put one group in each role then add users to one of those groups. That way your role expressions can be simple (and therefore faster), they can be put on the smaller dim tables (and therefore will be faster) and you don't need to edit the roles, you just put users in the different security groups.

Helpful resources

Announcements
FabCon and SQLCon Barcelona 2026

FabCon & SQLCon – Barcelona 2026

Join us in Barcelona for FabCon and SQLCon, the Fabric, Power BI, SQL, and AI community event. Save €200 with code FABCMTY200.

60 days of Data Days Carousel

Data Days 2026

Join Data Days 2026: 60 days of free live/on-demand sessions, challenges, study groups, and certification opportunities.

Power BI DataViz World Championships carousel

Power BI DataViz World Championships - June 2026

A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.

Top Solution Authors