This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 56.00000000000001%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Is there any way to handle Object Level Security dynamically like how Row Level Security can be handled via DAX statements?
Currently in our tabular models we do row level security by doing a DAX lookup against a table that lists the username and the RLS filter.
We want to utilize OLS by dynamically checking a user table that would list what objects or roles they would be allowed to see.
I do not see anyway to assign OLS dynamically as the users must be manually assigned to the roles they are in.
Is there no way to assign users to roles dynamically?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 9%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELY%3C/text%3E%3C/svg%3E)
Hi,
OLS (Table or Column level) security is set in the JSON-based metadata in the Model.bim. It is not going to check any table content like RLS does.
From this base, and the users role is defined with TMSL in the model.bim file we could not dynamically change it like in a table for RLS. So what required is not supported for now.
Unfortunately I could not find a workaround here, maybe other experts could give better insight on this issue.
Regards,
Lukas
Hi,
Did you find anyway to do this or any workaround?
What is your last choice on this requirement . Appreciating any sharing from you :)
Sadly, no.
We need a way to dynamically check the user permissions table (which we use for RLS but would probably generate a separate one for OLS). Basically the same type of RLS lookup would be ideal, or even a dynamic role lookup.
The issue is users will change roles over time, so I can't just manually add all the users into a role. I need the user's role assignment to be dynamically checked every time we process the Tabular model (or run a query or whatever).
Letting us specify role membership by scanning a table of UPNs and looking for criteria to be met to include the user in that role. Probably as simple as userPrinciapalName@domainname.com and a few columns that we would match on. We would define a few roles such as, Human Resources, Sales, Accounting, PurchaseOrders, etc..
Then we would specify DAX (or some filter) to match roles on those values HR role might just be RoleColumn="HR".
The issue is it has to be dynamic as users will change roles.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 60%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECW%3C/text%3E%3C/svg%3E)
It's been about a year since OLS was introduced, is there any update on allowing it to be dynamically implemented as with RLS?