Power BI Using DAX: RLS, LOOKUPVALUE, USERNAME

[Country] = LOOKUPVALUE(Managers[Country], Managers[ManagerName], USERNAME())

Row Level Security (RLS) is a feature in Power BI that restricts data access for users at the row level. It ensures that users can only see the data that they are permitted to view, based on their roles.

To implement RLS using DAX expressions, you can create roles and define DAX filters within those roles.

Scenario example

Managers Representing a Single Country.

Requirements:

  1. Managers must only see the data of their respective country.

  2. Minimize the number of RLS roles.

Steps to Implement RLS

  1. Create a Role:

• In Power BI Desktop, go to the Modeling tab.

• Click on Manage roles.

  1. Define the Role:

Create a new role, for example, ManagerRole.

Add a filter to the table that contains the country information. Assuming you have a Sales table with a Country column and a Managers table with ManagerName and Country columns, you can use the following DAX expression:

[Country] = LOOKUPVALUE(Managers[Country], Managers[ManagerName], USERNAME())

This DAX expression filters the Sales table to only include rows where the Country matches the country of the manager currently logged in. The USERNAME() function returns the username of the person currently logged in.

  1. Assign Users to the Role:

• After defining the role, you need to assign users to this role in the Power BI service.

• Publish your report to the Power BI service.

• Go to the dataset settings and assign the appropriate users to the ManagerRole.

Example Assume you have the following tables:

Sales Table:

OrderIDCountrySalesAmount
1USA100
2Canada200
3USA150
4Canada250

Managers Table:

ManagerNameCountry
JohnDoeUSA
JaneSmithCanada

When JohnDoe logs in, he will only see sales data for the USA, and when JaneSmith logs in, she will only see sales data for Canada.

Minimizing RLS Roles By using the LOOKUPVALUE function and the USERNAME() function, you can create a single role that dynamically filters data based on the logged-in user's country. This approach minimizes the number of RLS roles needed, as you don't need to create separate roles for each country.

ManagerRole vs [Country] DAX expression

ManagerRole is the broader security framework that includes various permissions and filters, while the [Country] DAX expression is a specific filter applied within that role.

ManagerRole is managed at the role level in Power BI, whereas the [Country] DAX expression is a part of the DAX code that defines how the data is filtered.

By combining these two, you can effectively implement RLS to ensure that managers only see the data relevant to their respective countries, while minimizing the number of roles needed.