Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join the FabCon + SQLCon recap series. Up next: Power BI, Real-Time Intelligence, IQ and AI, and Data Factory take center stage. All sessions are available on-demand after the live show. Register now

Reply
SebV
Advocate I
Advocate I

Transform static RLS to dynamic RLS dealing with many to many relations

‎08-31-2024 02:24 PM

Hi,

I try to make a static RLS dynamic, but can't sort out the DAX needed.
The datamodel has at table for users and each ueser is linked to a single departmemnt.
Each departmant is entitle to access certain area's, some om on the level of Counties, some on the level of Districts.

 

1. Scherm­afbeelding 2024-08-31 om 22.24.45.jpg

 

In the original situation static RLS defined the specific counties and districts for each department. Due to increasing number of roles there is a wish to make this dynamic.

 

2a. Scherm­afbeelding 2024-08-31 om 22.23.48.jpg

 

 

One of the problems is that the filter direction in the one to many relationship between Users and Departments is from Departments to Users. Therefore restrictin the User table with E-mail == USERPRINCIPALNAME() won't filter down the Departments table.

I tried different approaches to solve this:


Approach 1: the combination of DAX in RLS:
Table Users: [E-mail] == USERPRINCIPALNAME()
Table Departments: [Department] IN VALUES(Users[Department])
Table Departments - Access shoudl be filtered due to its relationship with table Departments
Table Areas: [County-id] IN( VALUES('Department - access areas'[Access area])) || [District-id] IN( VALUES('Department - access areas'[Access area]))

Unfortunately, this doesn't work.

 

Approach 2:
Restrict table Departments by: [Department] == LOOKUPVALUE(Users[Department], Users[E-mail], USERPRINCIPALNAME())
Table Areas: [County-id] IN( VALUES('Department - access areas'[Access area])) || [District-id] IN( VALUES('Department - access areas'[Access area]))

Doesn't work either

 

Approach 3:

Restrict table Departments by: [Department] == LOOKUPVALUE(Users[Department], Users[E-mail], USERPRINCIPALNAME())
Table Areas:
[County-id] IN( CALCULATETABLE( VALUES('Department - access areas'[Access area]), 'Department - access areas'[Department] = SELECTEDVALUE(Departments[Department]))) ||
[District-id] IN( CALCULATETABLE( VALUES('Department - access areas'[Access area]), 'Department - access areas'[Department] = SELECTEDVALUE(Departments[Department])))

Also doesn't work.

 

Anyone who has some valuable suggestions?

PBIX attached:

https://www.dropbox.com/scl/fo/a5fitksgp9hm4ycvf9gee/AG5QR3-1nKT8kaoPuBL1p7A?rlkey=ui12vthaw4f3mwdv2... 

Labels:
Message 1 of 2
336 Views
0
1 REPLY 1
lbendlin
Super User
Super User

‎08-31-2024 05:05 PM

That's not what dynamic RLS is about.  In Dynamic RLS you maintain a reference table that lists exactly which artifacts a user has access to. That reference table is controlled by USERPRINCIPALNAME, and in turn controls the rest of the data model.

Message 2 of 2
288 Views
0

Helpful resources

Announcements
April Power BI Update Carousel

Power BI Monthly Update - April 2026

Check out the April 2026 Power BI update to learn about new features.

New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

Power BI DataViz World Championships carousel

Power BI DataViz World Championships - June 2026

A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.

FabCon and SQLCon Highlights Carousel

FabCon &SQLCon Highlights

Experience the highlights from FabCon & SQLCon, available live and on-demand starting April 14th.

View All