Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

We've captured the moments from FabCon & SQLCon that everyone is talking about, and we are bringing them to the community, live and on-demand. Starts on April 14th. Register now

Automated Static RLS Role Management for Power BI Semantic Models

04-02-2026 05:07 AM

eguigurene
Advocate I
219 Views
eguigurene
Advocate I
Advocate I

Automated Static RLS Role Management for Power BI Semantic Models

Thursday

Dynamic RLS is the go-to solution when Power BI security requirements are complex —
multiple dimensions, multiple filters, users mapped to many combinations. But on
large fact tables it evaluates USERPRINCIPALNAME() on every query for every user,
and at scale that cost is significant.

This notebook takes a different approach: it reads an RLS mapping table from your
Lakehouse, generates static roles automatically, applies DAX filters on dimension
tables (letting relationships propagate to fact tables), and assigns members by UPN
email — all programmatically via the Tabular Object Model (TOM).

────────────────────────────────────────
WHAT IT DOES
────────────────────────────────────────

→ Reads distinct security values from a Spark DataFrame (e.g. Country, Brand,
Company) and generates one role per value

→ Applies role-specific DAX filters on dimension tables (DT_*), not fact tables —
filters propagate through relationships automatically

→ Supports global filters applied to every role on their own fixed table
(e.g. a consolidation flag always on DT_Customer, an active flag on DT_Product)

→ Handles create-or-replace — safe to re-run at any time, existing roles are
removed and recreated cleanly

→ Adds members from a Username (UPN) column, saving one member at a time to
isolate invalid UPNs without blocking valid ones

→ Exports a JSON failure report to Lakehouse Files for any members that could
not be saved

→ Supports partial runs via config_keys — process only the dimensions you need

────────────────────────────────────────
REQUIREMENTS
────────────────────────────────────────

- Microsoft Fabric workspace with Lakehouse attached to the notebook
- Power BI Semantic Model published to the workspace
- XMLA Read/Write enabled on the Fabric capacity
- semantic-link-labs (installed automatically via %pip install)
- RLS source table with: Username (UPN email) + one column per secured dimension

────────────────────────────────────────
STATIC VS DYNAMIC RLS — WHY IT MATTERS
────────────────────────────────────────

Static roles are evaluated once at connection time. Dynamic RLS evaluates on every
query. On a 10M row fact table with hundreds of security combinations across Country,
Brand, and Company — the difference is felt immediately by end users. This notebook
makes generating and maintaining hundreds of static roles as straightforward as
running two cells.

Message 1 of 2
219 Views
0