Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
careisin60
Frequent Visitor

Override Row Level Security

‎02-03-2022 07:17 AM

I have a report that I succussfully added a dynamic row level security to it.  The purpose was to make it convenient for users to see only their own transactions without having to filter for it.  However, it is OK for the user to see all users' transactions.  Some managers want to look at everyone to see how their reports are doing compared to others.  I'd like to accomplish one of two possibilities.

 

1) Have row level security apply to a single tab in my report, and not in the rest.  As I understand it, that is not a feature in Power BI and is not currently planned.  Unless that changed, this is not an option.

 

2) Is there a way for the usuer to change their role or somehow override their security.  I know I can do this in desktop to test the RLS feature, but if the user had a way to change their role so they saw all transactions would work. 

Labels:
Message 1 of 4
964 Views
0
3 REPLIES 3
careisin60
Frequent Visitor

‎02-14-2022 07:31 AM

Here are some pictures to help, hopefully.  Let's say this is my table of information:

RLS_Table.png

So far, I've been able to make the Row Level security to be dynamic with the IF functions used above.  So if Gabriel Stokes, a sales person, opens the report he would see this:

RLS_SalesPerson.png

If Maggie Green, a sales manager opens the report, he would see this:

RLS_Manager.png

If Daryl Dixon, a vice president, opens the report, he see's this:

RLS_VP.png

Where I'm having trouble is that I'd like to find a way that the user can shut off or do something to be able to see all the data.  I've tried puting conditional clauses using slicers in the RLS function, but it doesn't seem to work.  I don't know if there's a method to do this.  Is there coding I could put in the RLS function above to give the user power to change which column to filter for RLS? I want the user from sales people to vice presidents to be able to do something, like click a slicer or anything so they could see all the data like this:

RLS_All.png

Message 4 of 4
861 Views
0
v-yetao1-msft
Community Support
Community Support

‎02-06-2022 10:30 PM

Hi @careisin60 

The personnel structure of your RLS sounds a bit complicated. Can you use simple data or tables to reflect the data model you want to express and the results you want to achieve ?

 

Best Regard

Community Support Team _ Ailsa Tao

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 3 of 4
876 Views
0
careisin60
Frequent Visitor

‎02-03-2022 11:03 AM

To add more detail, I have a dynamic RLS process going on.  I have three columns.  Team Member, Team Manager, Regional Manager. 

 

Every individual in the Team Table has a column with their unique user principal name in Team_Member.  FOr the Team_Manager column, every persons' team manager's user principal name is listed, and for everyone they have their Regional Manager's user principal name in the Regional_Manager Column.

 

The RLS function had an if statement.

IF ( countrows(FILTER(ALL(Team),Regional_Manager = userprincipalname()))>0, Regional_Manager = userprincipalname(),

IF(countrows(FILTER(ALL(Team),Team_Manager = userprincipalname()))>0,Team_Manager = userprincipalname(),

Team_Member = userprincipalname())))

 

This was working.  When I tested the roles a team manager had all their direct reports showing, Regional Managers had all their team managers and direct reports and so on.

 

I added a column to my Team table, called All, and it has the same value for every row, "all@company.com".

 

I thought maybe I could add a slicer that would override the individuals user principal name to see everything.

 

I added another table called Viewer, with one column, called Viewer with two values, All or Individual.

 

 

I put a slicer in my report where you had to pick one of those two values. 

 

Then in my RLS filter I created the following dynamic

var user = if(selectedvalue(Viewer[Viewer]) = "All", "all@company.com",userprincipalname())
return
if( 
  countrows(filter(all(team),all = user))>0, all = user,
if(
  countrows(filter(all(team),Regional_Manager = user))>0, Regional_Manager = user,
if(
  countrows(filter(all(team),Team_Manager = user))>0, Team_Manager = user,
  Team_Member = user)))

 

They dynamic filtering in RLS is working based on wether the person is a team member, manager or regional manager, but it doesn't seem to be affected at all by the slicer to override the RLS.

 

Message 2 of 4
911 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All