Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get Fabric Certified for FREE during Fabric Data Days. Don't miss your chance! Request now

Reply
AmiraBedh
Super User
Super User

Using Dynamic RLS with Azure Active Directory Groups- Tabular model

‎03-30-2022 12:10 PM

We are having an SSAS tabular cube and we are using a live connection.

So the definition of the Dynamic Row Level Security will be on the SSAS tabular cube.

We are having only the  Azure Active Directory Groups email to have build a dimension.

For each specific department (HR, Sales,...) the person viewing the report based on the department he is working on.

We are using DRLS because an employee can be working on two or more departments.

So an employee can belong to one or more Active Directory Groups

 

The current Department dimension we are modeling is like below :

DepartmentSK
ADEmail

and we are linking it to fact table Sales. The employee is directly linked to the fact table.

My question do we need the email address of all employees belonging to an Azure Active Directory Group?

Or we can just configure that using the Azure Active Directory Group email.

For security and data protection, the client is currently providing only the Azure Active Directory Group email.


Proud to be a Power BI Super User !

Microsoft Community : https://docs.microsoft.com/en-us/users/AmiraBedhiafi
Linkedin : https://www.linkedin.com/in/amira-bedhiafi/
StackOverflow : https://stackoverflow.com/users/9517769/amira-bedhiafi
C-Sharp Corner : https://www.c-sharpcorner.com/members/amira-bedhiafi
Power BI Community :https://community.powerbi.com/t5/user/viewprofilepage/user-id/332696
Message 1 of 4
2,294 Views
0
1 ACCEPTED SOLUTION
lbendlin
Super User
Super User

‎04-02-2022 05:44 PM

Dynamic RLS works with individual email addresses.  If you want to use AD groups you need to implement static RLS (which may not be supported in your scenario).

 

Dynamic RLS supports the case where an individual reports to multiple managers.

View solution in original post

Message 2 of 4
2,209 Views
3 REPLIES 3
lbendlin
Super User
Super User

‎04-02-2022 05:44 PM

Dynamic RLS works with individual email addresses.  If you want to use AD groups you need to implement static RLS (which may not be supported in your scenario).

 

Dynamic RLS supports the case where an individual reports to multiple managers.

Message 2 of 4
2,210 Views
AmiraBedh
Super User
Super User
In response to lbendlin

‎04-03-2022 06:58 AM

Is it possible to use the USEROBJECTID instead of the email ?


Proud to be a Power BI Super User !

Microsoft Community : https://docs.microsoft.com/en-us/users/AmiraBedhiafi
Linkedin : https://www.linkedin.com/in/amira-bedhiafi/
StackOverflow : https://stackoverflow.com/users/9517769/amira-bedhiafi
C-Sharp Corner : https://www.c-sharpcorner.com/members/amira-bedhiafi
Power BI Community :https://community.powerbi.com/t5/user/viewprofilepage/user-id/332696
Message 3 of 4
2,166 Views
0
lbendlin
Super User
Super User
In response to AmiraBedh

‎04-03-2022 03:48 PM

No, your only choice for dynamic RLS is USERPRINCIPALNAME which is the email of the AD object accessing the app/report/dataset.

Message 4 of 4
2,143 Views
0

Helpful resources

Announcements
Fabric Data Days Carousel

Fabric Data Days

Advance your Data & AI career with 50 days of live learning, contests, hands-on challenges, study groups & certifications and more!

October Power BI Update Carousel

Power BI Monthly Update - October 2025

Check out the October 2025 Power BI update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All
Top Solution Authors
View All