Solved: RLS: Allow a leaf in a hierarchy to see own data a...

tbones · ‎03-25-2021

I am looking for a solution for security settings.

The situation:

We have a hierarchy of

- national manager level

- sales manager level

- regional manager level

- account manager level

Using RLS we restrict the users to see everything of their own data and below. An account manager sees his area and nothing more. A sales manager sees his sales manager area including all regional managers and account managers below him.

There is now a new requirement now:

- an account manager should be able to see his area (as it is already), but also the national manager level numbers, without any possibility to see other sales/regional/account manager below.

It means for example, that he sees the sales amount of Germany and his area in Berlin, but nothing more.

- sales manager should be able to see their own sales manager area and below hierarchy levels (as it is already), but also the numbers of other sales managers, without being able to drill down to their regional/account managers.

For example they see sales manager area "region north" and can drill down to "north east" and "north west" (regions) and also deeper account manager level for e.g. City of Hamburg. Additionally (and that is the point here), he sees the numbers of "region west", "regions south" and "region east" (other sales managers) without being able to drill down to the regions/area below.

Is it possible ro restrict the data as described?

Thank you very much for your help

lbendlin · ‎03-28-2021

No. It is not possible to restrict as described. BUT - it is possible to allow the user to filter as described.

View solution in original post

tbones · ‎03-30-2021

thank you @lbendlin for the replies.

I see what is meant - thank you for clarification!

lbendlin · ‎03-29-2021

Use the standard Report level filter options and teach your users how to apply them and how to revert to the default (which should be their own focus area)

tbones · ‎03-29-2021

good to know!

How is it possible to filter as described?

lbendlin · ‎03-28-2021

No. It is not possible to restrict as described. BUT - it is possible to allow the user to filter as described.

tbones · ‎03-28-2021

thank you @lbendlin for the advice.

Maybe I am the only one here who doesn't understand, but it gives me no clue to proceed. It is not my job to rethink the requirements. I am just looking how to solve this as it is needed.

Let me re-formulate a little. Please forget RLS in this case (as it seems to be not right): Is it possible ro restrict the access of the users as described above?

lbendlin · ‎03-27-2021

My advice for you is to rethink what you are trying to accomplish and if it helps your users or not.

tbones · ‎03-26-2021

Thank your for your reply.

To understand you correctly it means that it is not possible to restrict it as described, right?

Do you have any useful advices for the above situation?

lbendlin · ‎03-26-2021

No, this is the opposite of RLS. RLS is a restrictive approach, what you want is a permissive approach.

Nothing wrong with that by the way, unless your data is fiscally sensitive. In fact, we have ditched RLS in many of our reports in favor of the permissive approach where we give everyone a default view of their area of work AND the opportunity to see data outside of that. Best of both worlds, in my opinion. Definitely improves employee satisfaction when compared to RLS (which is mostly hated).

RLS: Allow a leaf in a hierarchy to see own data and data of higher level without drill-down

Helpful resources

New forum boards available in Real-Time Intelligence.

Power BI Monthly Update - May 2024

How to Get Your Question Answered Quickly

Jumpstart your career with the Fabric Career Hub

RLS: Allow a leaf in a hierarchy to see own data and data of higher level without drill-down

Helpful resources

New forum boards available in Real-Time Intelligence.

Power BI Monthly Update - May 2024

How to Get Your Question Answered Quickly