Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Earn a 50% discount on the DP-600 certification exam by completing the Fabric 30 Days to Learn It challenge.

Reply
Friendly
Regular Visitor

RLS for "Reporting Groups"

‎12-18-2023 01:24 PM

I want to implement RLS so users can see the financial data of other users in their "Reporting Group".

 

A Reporting Group is just a group of users that should be able to see each other's data.

 

For example:

 

  • User 1 and 2 are in reporting group 1, they see each other's data.
  • User 3 and 4 are in reporting group 2, they see each other's data.
  • User 1 and 5 are in reporting group 3, they see each other's data. (I know that in the data there isn't a user 5 this is an example of how I would like it to behave)
  • etc etc

Any user can be in any number of reporting groups, and the reporting groups have no limit to the number of users.

 

What I have is a prototype set up of the data. It looks like this:
4 tables:

1. Client

Friendly_0-1702934131438.png

2. Account

Friendly_1-1702934159029.png

3. ReportingGroup

Friendly_2-1702934185390.png

4. ClientReportingGroupMap

Friendly_3-1702934211343.png

 

They are connected like this:

Friendly_4-1702934243935.png

 

The expected behaviour is that if Mickey (ClientIF 101) logs in he should be able to see the accounts data for people in Reporting Group 1 or 3. In Reporting Group 1 there is Mickey and Minnie. In reporting group 3, it's just Mickey.

 

Then if Daffy or Daisy log in, they should both be able to see each other's data as well.

 

Can someone help me take a stab at the dax for the RLS? Everything I come up with only shows individual client data, and not the data for the other people in the same reporting group.

Or, let me know if I'm going about this wrong?

 

Cheers!

Labels:
Message 1 of 8
302 Views
0
1 ACCEPTED SOLUTION
TomMartens
Super User
Super User

‎12-19-2023 08:21 AM

Hey @Friendly 

 

here you will find a pbix

https://tommartens-my.sharepoint.com/:u:/g/personal/tom_minceddata_com/ERItNG-FA8pImPWOA8MaNJ4BuRv52...

that contains a solution based on adapting the semantic model: 
image.png

I tend to adapt the model instead of leveraging complex DAX statements. The reason for this is that RLS means table iterators are in place, no matter the DAX statement that "defines" the RLS. From my experience, the more simple the DAX, the lesser the performance impact of RLS on the overall query performance.

For this reason, I created a new table, "Security Table" using Power Query. Maybe there are different ways to create this table, I created this table based on the sample data. This table is based on two joins, starting with the Client table. I create a new table by joining the Client table with the ClientReportingGroupMay table. This table provides all the ReportingGroups to which a Client is assigned. The result is shown in the next image:

image.png

Then, I joined the "ClientReportingGroupMap" table a second time, but this time, I used the ReportGroupID column, which provides the ClientIDs within the reporting group. This table contains the "peers"; in my example, I only used the ClientID column when expanding the table. I did not rename the column ClientID.1 to "Peers." I think this helps to better understand my approach. The next screenshot shows the final "Security Table" table:

image.png
The next image shows the relationship between the "Security Table" and the Client table:

image.png

The next image shows the configuration of the Row Level Security:

image.png

And finally, a very simple report, testing the RLS as user "client101@example.com:"

image.png

Hopefully, this provides what you are looking for.

 

Regards,

Tom



Did I answer your question? Mark my post as a solution, this will help others!

Proud to be a Super User!
I accept Kudos 😉
Hamburg, Germany

View solution in original post

Message 6 of 8
191 Views
7 REPLIES 7
TomMartens
Super User
Super User

‎12-19-2023 09:15 AM

Perfect! Happy to help!



Did I answer your question? Mark my post as a solution, this will help others!

Proud to be a Super User!
I accept Kudos 😉
Hamburg, Germany
Message 8 of 8
179 Views
0
TomMartens
Super User
Super User

‎12-19-2023 08:21 AM

Hey @Friendly 

 

here you will find a pbix

https://tommartens-my.sharepoint.com/:u:/g/personal/tom_minceddata_com/ERItNG-FA8pImPWOA8MaNJ4BuRv52...

that contains a solution based on adapting the semantic model: 
image.png

I tend to adapt the model instead of leveraging complex DAX statements. The reason for this is that RLS means table iterators are in place, no matter the DAX statement that "defines" the RLS. From my experience, the more simple the DAX, the lesser the performance impact of RLS on the overall query performance.

For this reason, I created a new table, "Security Table" using Power Query. Maybe there are different ways to create this table, I created this table based on the sample data. This table is based on two joins, starting with the Client table. I create a new table by joining the Client table with the ClientReportingGroupMay table. This table provides all the ReportingGroups to which a Client is assigned. The result is shown in the next image:

image.png

Then, I joined the "ClientReportingGroupMap" table a second time, but this time, I used the ReportGroupID column, which provides the ClientIDs within the reporting group. This table contains the "peers"; in my example, I only used the ClientID column when expanding the table. I did not rename the column ClientID.1 to "Peers." I think this helps to better understand my approach. The next screenshot shows the final "Security Table" table:

image.png
The next image shows the relationship between the "Security Table" and the Client table:

image.png

The next image shows the configuration of the Row Level Security:

image.png

And finally, a very simple report, testing the RLS as user "client101@example.com:"

image.png

Hopefully, this provides what you are looking for.

 

Regards,

Tom



Did I answer your question? Mark my post as a solution, this will help others!

Proud to be a Super User!
I accept Kudos 😉
Hamburg, Germany
Message 6 of 8
192 Views
Friendly
Regular Visitor
In response to TomMartens

‎12-19-2023 08:54 AM

You're a legend Tom! This absolutely fits the bill. Thank you so much.

Message 7 of 8
186 Views
0
TomMartens
Super User
Super User

‎12-18-2023 01:39 PM

Hey @Friendly ,

 

upload the pbix to OneDrive, Google Drive, or Dropbox and share the link.
Make sure that the column email contains email address contains email-address (even if they are not valid), as most likely the DAX for the RLS will leverage the DAX function USERPRINCIPALNAME.

 

Regards,

Tom

 

Regards,

Tom



Did I answer your question? Mark my post as a solution, this will help others!

Proud to be a Super User!
I accept Kudos 😉
Hamburg, Germany
Message 2 of 8
282 Views
0
Friendly
Regular Visitor
In response to TomMartens

‎12-18-2023 01:53 PM

Hi Tom - I DM'd you the files. Cheers!

Message 3 of 8
271 Views
0
TomMartens
Super User
Super User
In response to Friendly

‎12-18-2023 01:57 PM

I will not work with files shared via DM!

 

Regards,

Tom



Did I answer your question? Mark my post as a solution, this will help others!

Proud to be a Super User!
I accept Kudos 😉
Hamburg, Germany
Message 4 of 8
270 Views
0
Friendly
Regular Visitor
In response to TomMartens

‎12-18-2023 07:44 PM

Hi Tom,

 

Here is the Excel file and here is the PBIX file.

 

Cheers.

Message 5 of 8
213 Views
0

Helpful resources

Announcements
LearnSurvey

Fabric certifications survey

Certification feedback opportunity for the community.

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All