Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

To celebrate FabCon Vienna, we are offering 50% off select exams. Ends October 3rd. Request your discount now.

Reply
SebV
Frequent Visitor

Transform static RLS to dynamic RLS dealing with many to many relations

‎08-31-2024 02:24 PM

Hi,

I try to make a static RLS dynamic, but can't sort out the DAX needed.
The datamodel has at table for users and each ueser is linked to a single departmemnt.
Each departmant is entitle to access certain area's, some om on the level of Counties, some on the level of Districts.

 

1. Scherm­afbeelding 2024-08-31 om 22.24.45.jpg

 

In the original situation static RLS defined the specific counties and districts for each department. Due to increasing number of roles there is a wish to make this dynamic.

 

2a. Scherm­afbeelding 2024-08-31 om 22.23.48.jpg

 

 

One of the problems is that the filter direction in the one to many relationship between Users and Departments is from Departments to Users. Therefore restrictin the User table with E-mail == USERPRINCIPALNAME() won't filter down the Departments table.

I tried different approaches to solve this:


Approach 1: the combination of DAX in RLS:
Table Users: [E-mail] == USERPRINCIPALNAME()
Table Departments: [Department] IN VALUES(Users[Department])
Table Departments - Access shoudl be filtered due to its relationship with table Departments
Table Areas: [County-id] IN( VALUES('Department - access areas'[Access area])) || [District-id] IN( VALUES('Department - access areas'[Access area]))

Unfortunately, this doesn't work.

 

Approach 2:
Restrict table Departments by: [Department] == LOOKUPVALUE(Users[Department], Users[E-mail], USERPRINCIPALNAME())
Table Areas: [County-id] IN( VALUES('Department - access areas'[Access area])) || [District-id] IN( VALUES('Department - access areas'[Access area]))

Doesn't work either

 

Approach 3:

Restrict table Departments by: [Department] == LOOKUPVALUE(Users[Department], Users[E-mail], USERPRINCIPALNAME())
Table Areas:
[County-id] IN( CALCULATETABLE( VALUES('Department - access areas'[Access area]), 'Department - access areas'[Department] = SELECTEDVALUE(Departments[Department]))) ||
[District-id] IN( CALCULATETABLE( VALUES('Department - access areas'[Access area]), 'Department - access areas'[Department] = SELECTEDVALUE(Departments[Department])))

Also doesn't work.

 

Anyone who has some valuable suggestions?

PBIX attached:

https://www.dropbox.com/scl/fo/a5fitksgp9hm4ycvf9gee/AG5QR3-1nKT8kaoPuBL1p7A?rlkey=ui12vthaw4f3mwdv2... 

Labels:
Message 1 of 2
241 Views
0
1 REPLY 1
lbendlin
Super User
Super User

‎08-31-2024 05:05 PM

That's not what dynamic RLS is about.  In Dynamic RLS you maintain a reference table that lists exactly which artifacts a user has access to. That reference table is controlled by USERPRINCIPALNAME, and in turn controls the rest of the data model.

Message 2 of 2
193 Views
0

Helpful resources

Announcements
September Power BI Update Carousel

Power BI Monthly Update - September 2025

Check out the September 2025 Power BI update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All
Top Solution Authors
View All