Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
rmarian
Frequent Visitor

Row level security - column value starts with value from logged in user

‎02-16-2021 04:58 AM

Hello,

I am trying to set up row-level security on a table that contains unique list of all employees. Available columns:

  • Employee email address
  • RBS (resource breakdown structure) - shows the employee position in the organization in a format like this: "Division.Unit.Department.Team.etc..." (it can have as many levels as needed)

The goal is that logged in user (line manager) should only see data for employees on the same RBS level as he is, or on levels below.

For example unit head with RBS "Division.Unit" should see all employees with RBS

  • Division.Unit
  • Division.Unit.Department1
  • Division.Unit.Department2
  • Division.Unit.Department1.Team1 etc.

They should not see emplyees with RBS

  • Division
  • Division.Different Unit
  • Division.Different Unit.Department etc.

In the DAX formula, I need to call USERPRINCIPALNAME() to get the email address of the logged in user, but how do I check which rows' RBS starts with the logged in user's RBS?

Any help will be very appreciated!

Labels:
Message 1 of 6
546 Views
0
1 ACCEPTED SOLUTION
rmarian
Frequent Visitor

‎03-05-2021 05:14 AM

Thank you for your suggestions. While they might work, I was not able to easily implement them.

 

What I did instead was set the RLS to filter all employees where the RBS contains the RBS of the logged in user, and then exclude the logged in user.

IF(Employees[Employee Email]=userprincipalname(),False,CONTAINSSTRING(Employees[RBS],LOOKUPVALUE(Employees[RBS],Employees[Employee Email],userprincipalname())))

 

View solution in original post

Message 6 of 6
416 Views
0
5 REPLIES 5
rmarian
Frequent Visitor

‎03-05-2021 05:14 AM

Thank you for your suggestions. While they might work, I was not able to easily implement them.

 

What I did instead was set the RLS to filter all employees where the RBS contains the RBS of the logged in user, and then exclude the logged in user.

IF(Employees[Employee Email]=userprincipalname(),False,CONTAINSSTRING(Employees[RBS],LOOKUPVALUE(Employees[RBS],Employees[Employee Email],userprincipalname())))

 

Message 6 of 6
417 Views
0
Greg_Deckler
Super User
Super User

‎02-16-2021 08:07 AM

@rmarian Use the PATH set of DAX functions. If you replace your periods with "|" character that would make it a PATH for DAX. Alternatively, split your column out based upon "." character.


@ me in replies or I'll lose your thread!!!
Instead of a Kudo, please vote for this idea
Become an expert!: Enterprise DNA
External Tools: MSHGQM
YouTube Channel!: Microsoft Hates Greg
Latest book!: The Definitive Guide to Power Query (M)

DAX is easy, CALCULATE makes DAX hard...
Message 5 of 6
484 Views
0
Greg_Deckler
Super User
Super User

‎02-16-2021 05:04 AM

@rmarian - Dynamic Hierarchical RLS - https://community.powerbi.com/t5/Quick-Measures-Gallery/Dynamic-Hierarchical-Row-Level-Security/m-p/...

 


@ me in replies or I'll lose your thread!!!
Instead of a Kudo, please vote for this idea
Become an expert!: Enterprise DNA
External Tools: MSHGQM
YouTube Channel!: Microsoft Hates Greg
Latest book!: The Definitive Guide to Power Query (M)

DAX is easy, CALCULATE makes DAX hard...
Message 2 of 6
521 Views
0
rmarian
Frequent Visitor
In response to Greg_Deckler

‎02-16-2021 06:42 AM

@Greg_Deckler  Could you please elaborate how to apply this to my data? I don't have a direct child id-parent id connection between the rows, I can only get this information from the RBS column which is type string. How do I convert to path?

Message 3 of 6
497 Views
0
Rigensis
Helper I
Helper I
In response to rmarian

‎02-16-2021 08:16 AM

@rmarian Basically you can do it, but you would need to create another column in your users table, that would contain all users that can access the particular users data.

 

For example,

user that has RBS of Division.Unit would only need his own email in the new column,

while a user that has RBS of Division.Unit.Department1, in the new column would have not only his own email, but also the email of the first user mentioned, as that one can also access this lower level.

 

basically you would have to recreate RBS column, but with user emails. 

The highest level user would only have his own email in the new column, effectively only he can see the data that is connected with his RBS.

while the lowest level user in the new column would have emails of all the people that are higher up in the same RBS chain as he is, effectively giving all of them access to what he sees as well.

Message 4 of 6
476 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All