Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
pgoum
Frequent Visitor

Row Level Security single role

‎05-27-2020 03:10 AM

Hey all!

 

I have a report concerning sales and salesmen. There exist 3 roles let's say depending on which every user can see different rows from the sales table. If a user has flag=0 or null then he/she can view everything. Otherwise we look at Items table and examine whether that user appears there. If yes then the user can view the rows that have item_group_code & item_subgroup_code that apply. Alternatively we look at the Customers table and if he/she appears there the user can view his/her customers sales only. 

The desired RLS case is to create a single role and assign all users there so that we don't have to switch from one role to another manually.

So far I have tried this condition on the sales table but it doesn't work.

 

IF (
    [user_logged_condition] = "View All",
    1 = 1,
    IF (
        [user_logged_condition] = "Items",
        Sales_Fact_View[key]
            = LOOKUPVALUE ( items_access[key_sales], items_access[email], [user_logged] ),
        IF (
            [user_logged_condition] = "Customers",
            Sales_Fact_View[customer]
                = LOOKUPVALUE (
                    customers_access[cust_code],
                    customers_access[email], [user_logged]
                ),
            1 = 0
        )
    )
)

 

I also share the pbix file I have created: RLS_oneRole.pbix 

 

Thanks,

Panos

Labels:
Message 1 of 2
274 Views
0
1 ACCEPTED SOLUTION
d_gosbell
Super User
Super User

‎05-27-2020 10:17 PM

So your issue is that in both of your LOOKUPVALUE expressions that multiple values could be returned and this function will throw and error in this case. 

 

You could work around this as follows by adding a second lookup condition for the key_sales or cust_code respectively:

IF (
    [user_logged_condition] = "View All",
    1 = 1,
    IF (
        [user_logged_condition] = "Items",
        Sales_Fact_View[key]
            = LOOKUPVALUE ( items_access[key_sales]
                   , items_access[email], [user_logged] 
                   . items_access[key_sales], Sales_Fact_View[key]
              ),
        IF (
            [user_logged_condition] = "Customers",
            Sales_Fact_View[customer]
                = LOOKUPVALUE (
                    customers_access[cust_code],
                    customers_access[email], [user_logged],
                    customers_access[cust_code], Sales_Fact_View[customer]
                ),
            1 = 0
        )
    )
)

 

 But from a performance perpective I think a better approach would be to have 3 roles then setup 3 security groups and put one group in each role then add users to one of those groups. That way your role expressions can be simple (and therefore faster), they can be put on the smaller dim tables (and therefore will be faster) and you don't need to edit the roles, you just put users in the different security groups.

View solution in original post

Message 2 of 2
238 Views
0
1 REPLY 1
d_gosbell
Super User
Super User

‎05-27-2020 10:17 PM

So your issue is that in both of your LOOKUPVALUE expressions that multiple values could be returned and this function will throw and error in this case. 

 

You could work around this as follows by adding a second lookup condition for the key_sales or cust_code respectively:

IF (
    [user_logged_condition] = "View All",
    1 = 1,
    IF (
        [user_logged_condition] = "Items",
        Sales_Fact_View[key]
            = LOOKUPVALUE ( items_access[key_sales]
                   , items_access[email], [user_logged] 
                   . items_access[key_sales], Sales_Fact_View[key]
              ),
        IF (
            [user_logged_condition] = "Customers",
            Sales_Fact_View[customer]
                = LOOKUPVALUE (
                    customers_access[cust_code],
                    customers_access[email], [user_logged],
                    customers_access[cust_code], Sales_Fact_View[customer]
                ),
            1 = 0
        )
    )
)

 

 But from a performance perpective I think a better approach would be to have 3 roles then setup 3 security groups and put one group in each role then add users to one of those groups. That way your role expressions can be simple (and therefore faster), they can be put on the smaller dim tables (and therefore will be faster) and you don't need to edit the roles, you just put users in the different security groups.

Message 2 of 2
239 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All