What problem does this solve?
Dynamic RLS evaluates USERPRINCIPALNAME() on every query for every user. On a fact table with 10M+ rows and hundreds of security combinations, this kills report performance. Static RLS roles are evaluated once at connection time — but creating and maintaining 500 of them manually is not feasible.
This notebook automates the full lifecycle of static RLS roles using Semantic Link and the Tabular Object Model (TOM): creation, replacement, member assignment, and cleanup of unused roles — all driven from an RLS mapping table in your Lakehouse.
What it does
✅ Reads distinct dimension values (Country, Brand, Company...) from a Spark DataFrame and generates one role per value
✅ Applies role-specific DAX filters on Dimension Tables (DT_*) — never on Fact Tables — so relationships propagate the filter automatically
✅ Supports global filters applied to every role on their own fixed table (e.g. a consolidation flag always on DT_Customer)
✅ Handles create-or-replace — idempotent, safe to re-run at any time
✅ Adds members from a Username (UPN) column, one at a time per fresh TOM connection — isolates invalid UPNs without blocking valid ones
✅ Drops unused roles when values are removed from the RLS table — only touches roles owned by this notebook, never manual ones
✅ Exports a JSON failure report to Lakehouse Files for any members that could not be saved
✅ Supports partial runs via config_keys — process only the dimensions you need
Requirements
- Microsoft Fabric workspace with Lakehouse attached
- Power BI Semantic Model published to the workspace
- XMLA Read/Write enabled on the Fabric capacity
- RLS source table with Username (UPN email) + dimension columns
Real world context
Validated on a production model with 10M+ rows, 21 tables, and 500+ roles across multiple dimensions. Report load time dropped significantly after switching from Dynamic RLS to this approach.
https%3A%2F%2Fgithub.com%2Fenekoegiguren%2FSemantic-Link-Static-RLS-Role-Management
