You have the Power BI model shown in the following exhibit.
A manager can represent only a single country.
You need to use row-level security (RLS) to meet the following requirements:
✑ The managers must only see the data of their respective country.
✑ The number of RLS roles must be minimized.
Which two actions should you perform? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
To minimize the number of RLS roles and ensure that each manager can see only the data of their respective country, you should create a single role that filters the Country[Manager_Email] using relevant DAX functions. The USERNAME function is used to filter based on the user's login name. In scenarios where the email format of the manager is used, USERNAME can be effective. However, for better precision, especially if there's a possibility of differentiating between login names and email, USEROBJECTID is often used to filter based on the user identifier in the organization securely. By using these dynamic functions, you avoid creating multiple roles for each country. Additionally, each proposed solution individually meets the complete requirement of applying RLS based on the manager's email or user identification, hence minimizing the number of roles while ensuring security requirements are met. Therefore, A and B are the best choices.
The given answer is correct. A. Create a single role that filters Country[Manager_Email] by using the USERNAME DAX function. C.For the relationship between Purchase Detail and Purchase, select Apply security filter in both directions.
Ok, I agree with A and C but, "Each correct answer presents a complete solution" ? I believe that A and C are each one a part of solution not a complete solution... Am I worng?
You are very right; C option is not a complete solution.
I believe the given answer is not correct. Furthermore, I believe the most selected answer is incorrect as each option selected should be a complete solution. As mentioned in some other comments, the questions says that each solution should be a COMPLETE solution. If you in isolation performs option C, it would not lead to any RLS being applied in the model. If the question were asking for two alternatives that together were a complete solution, A and C would be correct. Hence, one should opt you alternative A and D where A is dynamic RLS and D is static RLS (credit to the individual(s) mentioning this prior to this comment).
That's right! So the correct answer is A and D in this case ( each solution should be a COMPLETE solution)
But it does NOT minimize the number of roles
This was on Exam Today
A, D. A is dynamic while D is static RLS. Each presents a complete solution. The explanation in C itself is correct but irrelevant. The RLS filter required doesn't come from the Purchase Detail table.
I don't think that D is a correct answer because it can require creating a lot of RLS roles but we need to minimize them according to the task.
C and E are not complete solutions by themselves
I think it should be AE, Instead of applying bidirectional security, good to flow data in single direction and it does meet the requirement and best practice as well.
This was in the exam this week.
A can't be correct, Create a single role that filters Country[Manager_Email] by using the USERNAME DAX function - USERNAME returns the Username, to get the User-E-Mail you have to use USERPRINCIPALNAME
This is was on the exam today. 2024-04-19
This was at the exam today. 2024-04-25 My answer: A & C
Why in both directions? The RLS filter comes from the Country table and propagates to the Purchase table, the it propagates to the Purchase Detail table. There's no RLS filter coming from the Purchase Detail table, which it'll justify the use of RLS in both directions.
OK, given the options, it seems to me that A and C are correct. But wouldn't it be "more" correct for "Apply security filter in both directions" to be between the tables Country and Purchase? Thanks in advance for any feedback
Shouldn't we use the USERPRINCIPALNAME function DAX as it pertains to the email column?
A & D are the correct answers. A. This action is necessary to filter data based on the currently logged-in user's email (USRNAME function). This allows us dynamically filter the data to show only the data corresponding to the manager's email address. D. Since each manager can represent only a single country, we should create one RLS role for each country. Each role will filter the data based on the manager's email (Using USERNAME) and the corresponding country they manage. This way, each manager will have access only to the data for their respective country.
I'm ok with that
as shown in image bidirectional filtering is already applied, so y are we doing the same again? can anyone explain please?
it's my same doubt
By default, row-level security filtering uses single-directional filters, whether the relationships are set to single direction or bi-directional. You can manually enable bi-directional cross-filtering with row-level security by selecting the relationship and checking the Apply security filter in both directions checkbox.
AC is correct
I will go with D, E
On June 8, 2024 exam