question

AConfusedUser avatar image
0 Votes"
AConfusedUser asked ·

Object Level Security Tabular: support dynamic assignment like RLS with DAX?

Is there any way to handle Object Level Security dynamically like how Row Level Security can be handled via DAX statements?

Currently in our tabular models we do row level security by doing a DAX lookup against a table that lists the username and the RLS filter.

We want to utilize OLS by dynamically checking a user table that would list what objects or roles they would be allowed to see.

I do not see anyway to assign OLS dynamically as the users must be manually assigned to the roles they are in.

Is there no way to assign users to roles dynamically?

sql-server-analysis-services
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LukasYu-msft avatar image
1 Vote"
LukasYu-msft answered ·

Hi,

OLS (Table or Column level) security is set in the JSON-based metadata in the Model.bim. It is not going to check any table content like RLS does.

From this base, and the users role is defined with TMSL in the model.bim file we could not dynamically change it like in a table for RLS. So what required is not supported for now.

Unfortunately I could not find a workaround here, maybe other experts could give better insight on this issue.


Regards,
Lukas


· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Did you find anyway to do this or any workaround?
What is your last choice on this requirement . Appreciating any sharing from you :)

1 Vote 1 ·

Sadly, no.

We need a way to dynamically check the user permissions table (which we use for RLS but would probably generate a separate one for OLS). Basically the same type of RLS lookup would be ideal, or even a dynamic role lookup.

The issue is users will change roles over time, so I can't just manually add all the users into a role. I need the user's role assignment to be dynamically checked every time we process the Tabular model (or run a query or whatever).

Letting us specify role membership by scanning a table of UPNs and looking for criteria to be met to include the user in that role. Probably as simple as userPrinciapalName@domainname.com and a few columns that we would match on. We would define a few roles such as, Human Resources, Sales, Accounting, PurchaseOrders, etc..



Then we would specify DAX (or some filter) to match roles on those values HR role might just be RoleColumn="HR".

The issue is it has to be dynamic as users will change roles.

0 Votes 0 ·