Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

We've captured the moments from FabCon & SQLCon that everyone is talking about, and we are bringing them to the community, live and on-demand. Starts on April 14th. Register now

Reply
MrKETATA
Frequent Visitor

multi RLS > subtractive rather than additive

‎09-21-2022 04:22 AM

hello community,

 

USECASE 1
Suppose we have a classic star schema, with dim product and dim region.
requirement = we need to implement an RLS rule, users under this rule should only see "Bikes" category sold in "Europe" region 
which means an intersection-based RLS between dim product and dim region 
The common approach is to create 2 seperate static RLS with one,  filtering "dim product" and the other filtering "dim region"

but in that case, those 2 RLS with be additive and we'll see , say some Bikes data saled on "US" region for example.
    

USECASE 2 :
i've created 2 RLS
RLS 1 = filtering a standalone table not related to the model 
RLS 2 = filtering a dimension table related to the model (star schema)
both tables blong to the same dataset (no way to seperate them due to a specific requirement)

as a result of RLS additive behavior, and from the fact that those 2 tables are not related, 
applying both RLS at the same time, made the data fully accessible.

any workarounds except createing seperate parameterized datasets ?

Thank you!

Labels:
Message 1 of 3
953 Views
0
2 REPLIES 2
v-chenwuz-msft
Community Support
Community Support

‎09-21-2022 11:14 PM

Hi @MrKETATA ,

 

Your usecase 2 is the usual method.

1 add a role table( seperate parameterized dataset)

2 filter product and region table by two rls rules.

rls code like this:

 

product table:

[product_id] in calculatetable( values(roletable[productid]), filter( roletable, [useremail] = username()))

 

region table:

[region_id] in calculatetable( values( roletable[region_id]), filter( roletable,[useremail] = username())) 

 

Best Regards

Community Support Team _ chenwu zhu

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 2 of 3
900 Views
MrKETATA
Frequent Visitor
In response to v-chenwuz-msft

‎09-22-2022 12:53 AM

Thanks @v-chenwuz-msft 


The thing is, table in RLS1 will be used to assign our end userprincipalname() to a specific page name (has no business with data model), although, RLS2 is meant to filter our data model, finally i'll go with multi parameterized dataset, and leverage RLS1 only, I would suggest to disable RLS additive behavior on tables that are obviously not related.

Regards.

Message 3 of 3
894 Views
0

Helpful resources

Announcements
New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

Power BI DataViz World Championships carousel

Power BI DataViz World Championships - June 2026

A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.

Join our Fabric User Panel

Join our Fabric User Panel

Share feedback directly with Fabric product managers, participate in targeted research studies and influence the Fabric roadmap.

March Power BI Update Carousel

Power BI Community Update - March 2026

Check out the March 2026 Power BI update to learn about new features.

View All