question

Sanae-0382 avatar image
0 Votes"
Sanae-0382 asked AlexeiStoyanovsky commented

SSAS Tabular model problem in Row Level Security

Hi,

Requirement 1 : One Team manager can’t see the data for other Team Manager.So we implemented a Row level Security on SSAS cube, based on users.

But now we have a new requirement to fulfill : a Team manager want to look for the historical data of his team or an specific agent to provide feedback, the data is trunked due to the Row level security

Example :
Manager 1 : Employee1, Employee2, Employee3 in 01/2021
Manager 2 : Employee4, Employee5 in 01/2021
Maanger 1 : Employee1,Employee2 in 02/2021
Manager 2 : Employee4, Employee5, Employee3 in 02/2021
If the manager 2 connected, he can't see historical data for the employee3 in 01/2021

Can you please help me to solve this problem.and have a dynamic row level security.

Thank you for your help.

sql-server-analysis-services
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Sanae-0382, we have not get a reply from you. Did any answers could help you? If there have any answers helped you, please do "Accept Answer". If not, please let us know. By doing so, it will benefit for community members who have this similar issue. Your contribution is highly appreciated. Thank you!

0 Votes 0 ·
CarrinWu-MSFT avatar image
0 Votes"
CarrinWu-MSFT answered

Hi @Sanae-0382,

Welcome to Microsoft Q&A!

You should create an additional role that implements dynamic security. Dynamic security provides row-level security based on the user name or login id of the user currently logged on. Please refer to Implement Dynamic Security by Using Row Filters to get more details.


Best regards,
Carrin


If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlexeiStoyanovsky avatar image
0 Votes"
AlexeiStoyanovsky answered

If manager 1 still needs to see employee 3's data for 01/21, you add another condition to your existing RLS, that a manager also sees the data for their current employees regardless of date. If employee goes to the current manager "with all the history", you could actually simplify your existing condition and only check for the current manager-employee relationships.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sanae-0382 avatar image
0 Votes"
Sanae-0382 answered AlexeiStoyanovsky commented

Hi @AlexeiStoyanovsky , @CarrinWu-MSFT

Thank you for your responses.
If i put a restricition only on employees, a team manager can also see the future data of his current employees too
So i need a restriction on date, so as a team manager can see only historical and present data for his team members.

Thank you for your help

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

That's just a variation on scenario 1, adding alternative conditions to RLS. Basically, currently you test data rows for conditionX, while for your new requirement you need to test each row for (conditionX OR conditionY).

0 Votes 0 ·