I am working on a PowerBI report which requires RLS.
To simplify, let's say I have the following tables:
Table 1:
Sales, Account, ProductOwnerAccount, Owner, Region
Table 2
Userid, UserRegion, UserAccount
Scenario: Need to show two sets of tabular data:
All Rows Where Account = UserAccount and Region = UserRegion
All Rows where ProductAccount = UserAccount, Account <> UserAccount and Region = UserRegion
The only way to achieve this seems to be RLS and using two roles with corresponding DAX filters.
However, if I apply two roles to the same user, the least restrictive one takes precedence and hence, both report will give the same result.
I tried to create a calculated table, but that does not allow using USERPRINCIPLENAME as a filter.
I also tried to have a page level filter which could use a measure (which in turn uses USERPRINCIPLENAME()), this is also not allowed.
Similarly, a calculated column on each row to specify if it's owned by the current user doesn't work.
Is there any other way? Am I missing something very basic?
Related
I have the table of customers with different statuses in different months
.
I have added Status value In Power BI Slicer Visual to filter the Matrix Data. And when, selecting for example A, it only shows customers who has A status in certain period.
Filtered Customer Data
.
(6 an 8 are missing because they don't have status A in any period). The Problem is that I want to see all the statuses of the customers who even once had status A. is it possible somehow in Power BI ?
Result I want to See
Good news: there is a pretty easy fix for this.
Create a new table using DAX.
FilterableStatuses =
SUMMARIZE(
DemoData,
DemoData[CustomerID],
DemoData[Status]
)
Create a relationship in your model between CustomerID on this new table and CustomerID on the table from your visual. It will be Many to Many and I prefer to not leave the filter direction as 'both' -- make it so FilterableStatus filters your original table.
Create a slicer using the status from FilterableStatuses rather than the original table, and that should give you the behavior that you're after. In essence, rather than filter the visual by [Status], you are filtering the list of CustomerIDs by status, and then letting the new relationship filter your visual to CustomerIDs
Hope it helps!
Below is example of I have a table called account which is the user. The user is in an organization but we only store the org id.
What I'm currently doing is using an calculated field and the ifelse function but there are a number of other areas with a lot of entries so a lot of work to create all these calculated fields.
Is there a smarter way to do this?
The best way to do this is to add a join between the 2 tables.
Add both datasets (user and orgs)
In the user dataset, use the "add data"
Select the org dataset
Use a join and it will look something like this:
You are probably past this point by now but at least an answer is here now
What is the correct way to relate users in parse to one another as friends?
I also want users to be able to query other users but not see all fields, like emails. Is there a way I can create a view on the users table with cloud code, and only return this to the client code?
I was thinking I can create a friends table that will have two columns with 2 pointers, 1 for each user.
thanks for any advice.
I was thinking I can create a friends table that will have two columns with 2 pointers, 1 for each user.
I'll do that too, with a status column to handle pending, blocked...etc
I also want users to be able to query other users but not see all fields, like emails.
You have to add a privateData column on user with ACL restricted to owner only, which would contain private infos such as emails...etc
I'm trying to build a drop down list that holds available options (i.e. a page category that a user can create a page for) for the logged in user, however, these are based on user roles due to the nature of how our business works - of which a user can belong to multiple roles and each role can have different options to select from in the drop down list.
What I'd like to do for users that are in multiple roles is combine the options of each individual role and use it as the values for the drop down list.
What I have assumed is that I would be able to run multiple LINQ queries by say running them through a for each (For Each r In userRoles) and then unioning them?
Though I don't know if this is possible in the way I'm trying to do it.
Is it possible or am I barking up the wrong tree?
Can someone please please please point me in the right direction?
It sounds like you could join user on roles and options and then group on options.
Something like this
Dim userId = GetCurrentUserId
Dim userOptions = From userRole In UserRoles
Join roleOption In RoleOptions
On userRole.roleId Equals roleOption.roleId And
userRole.userId Equals userId
Group By OptionId = roleOption.optioId, OptionName = roleOption.name
Into UserOptions = Group
Order By OptionName
I'm not a VB.NET coder and that is totally untested but hopefully you get the idea.
Like the title says, I've been asked to come up with an estimate for retrofitting an existing asp application.
The current security mechanism controls access to different parts of the application (page-level restrictions), but has no mechanism for flagging individual records as restricted. Assigning rights to a user (using the existing, custom access management code) is no problem, but enforcing the rights is a different matter - each asp page has embedded sql - there's no use of stored procs, objects, etc.
Is the only solution to modify each table and query, or is there a better way? Any pointers, suggestions or prayers would be welcome.
This is classic asp, running on IIS6, against an oracle database.
Update: Here's a user scenario.
We have users, managers, directors, and VPs. The managers can see data created by users who report to them, but not users who report to other managers. Users can't see data created by any managers. Same thing with directors - they can see down, but their reports can't see up.
This sounds like an ideal time to implement row-level security. Oracle has a package DBMS_RLS that allows you to define arbitrary access policies that can be applied to one or more tables that limit what rows a particular user is allowed to see. Conceptually, when a user issues a query with no filters on a protected table, i.e.
SELECT *
FROM my_table
Oracle automatically and transparently inserts a WHERE clause defined by your security policy that limits the result set. You shouldn't need to make any changes to the SQL your application is executing.
Assuming you need maximum granularity, the ability to "grant" each and any row to any of very many users, then you have a many-to-many relation, yes?
So apply the following pattern:
Add a tables of users.
Then, for each restricted table, so the following:
Rename it tablename + "_base".
create a many-to-many table that
associates that table's id with a
user id, called tablename +
"allowed_user".
create a view with the name table
name that joins tablename_base to
table_name_allowed_user, with a
select* from tablename_base and
user_id from tablename_allowed_user.
This view should meet Oracle's
requirements rto be "inherently
updatable."
Now comes the hard part. You need to add "and user_id = $user_id" to every query. Find the various functions you're using to make queries. Wrap those function(s) in ones that gets the user id from the session and add that predicate.
One passable way to do this is to read select string, find the all "where"s (for subqueries there may be more that one), and replace it with "where (user = $user) and ". For queries that don't have a where, you'll need to insert this before any "group by" or "order by". This is fragile, so obviously you'll test that this works for all pages (you have an automated test for all pages, right?), and add hacks to cover special cases.
"update" statements won't have to change; "inserts" will presumably insert both to the view and then do a separate insert to the table's "allow_user" table with the id of the inserting user, to automatically grant teh inserting user acces to what he inserted.
If your number of users is more limited, or you're restricting types of users, you can go with a strategy of multiple views named for the user or type; then you'd replace tables names in the queries with the appropriate views.