70-466 · Question #124
You are developing a SQL Server Analysis Services (SSAS) tabular project. In the data warehouse, a table named Employee Security defines a relationship between a salesperson's name, logon ID, and assi
The correct answer is D. Add the Employee Security table to the model, define the relationships, and then implement dynamic security by using row filters. Grant each salesperson access to the model.. Dynamic security in SSAS tabular uses DAX row filters with USERNAME() against a security mapping table to automatically restrict each user's visible data to only their assigned territory.
Question
Exhibit
Options
- ACreate a separate tabular project for each sales territory. Grant each salesperson access to the corresponding tabular model of the assigned sales territory.
- BCreate a new Active Directory Domain Services (AD DS) security group and add each salesperson as a member. Then create a new role with Read permission.
- CAdd the group as a member to the role. Create a new role with Read permission and then add each salesperson's logon as a member to the role.
- DAdd the Employee Security table to the model, define the relationships, and then implement dynamic security by using row filters. Grant each salesperson access to the model.
How the community answered
(28 responses)- A4% (1)
- B4% (1)
- C11% (3)
- D82% (23)
Why each option
Dynamic security in SSAS tabular uses DAX row filters with USERNAME() against a security mapping table to automatically restrict each user's visible data to only their assigned territory.
Creating a separate tabular project per sales territory multiplies development and maintenance effort significantly, directly violating the minimize-development-effort requirement.
Adding all salespeople to one AD DS group with a single Read-permission role grants every member access to all data in the model - no per-territory restriction is applied.
Individually adding each salesperson's logon to a single role still grants all members the same unrestricted Read access; without DAX row filters the role cannot differentiate which territory each salesperson is permitted to see.
By importing the Employee Security table and defining its relationships in the model, you can apply DAX row filter expressions that call USERNAME() to match each logged-in salesperson's logon ID against their assigned territory in that table. This is the native SSAS tabular dynamic security pattern - a single role with row-level filters adapts automatically per user without requiring separate roles or projects. It minimizes development effort while enforcing precise per-user data access.
Concept tested: SSAS tabular dynamic security with DAX row filters
Source: https://learn.microsoft.com/en-us/analysis-services/tabular-models/dynamic-security-row-filters-and-members
Topics
Community Discussion
No community discussion yet for this question.
