@luquimbo/bi-superpowers 1.0.0

package/library/snippets/dax/security-patterns.md

@@ -0,0 +1,413 @@
+# Security Patterns in DAX
+
+Row-Level Security (RLS), Object-Level Security (OLS), and dynamic security patterns.
+
+---
+
+## Row-Level Security (RLS)
+
+### Basic Static RLS
+
+```dax
+// Role: Sales Region - West
+// Filter on Region dimension
+[Region] = "West"
+```
+
+```dax
+// Role: Single Country
+// Filter on Geography
+[Country] = "USA"
+```
+
+### User-Based Dynamic RLS
+
+```dax
+// Filter by logged-in user's email
+// Requires DimUser table with Email and allowed regions
+VAR _UserEmail = USERPRINCIPALNAME()
+VAR _AllowedRegions =
+    CALCULATETABLE(
+        VALUES(DimUserRegion[Region]),
+        DimUserRegion[UserEmail] = _UserEmail
+    )
+RETURN
+    [Region] IN _AllowedRegions
+```
+
+```dax
+// Simplified: User sees their own data only
+[EmployeeEmail] = USERPRINCIPALNAME()
+```
+
+### Manager Hierarchy RLS
+
+```dax
+// Manager sees their direct reports and all indirect reports
+// Requires parent-child hierarchy in employee table
+VAR _UserEmail = USERPRINCIPALNAME()
+VAR _ManagerEmployeeKey =
+    LOOKUPVALUE(
+        DimEmployee[EmployeeKey],
+        DimEmployee[Email], _UserEmail
+    )
+VAR _DirectReports =
+    CALCULATETABLE(
+        VALUES(DimEmployee[EmployeeKey]),
+        PATH(DimEmployee[EmployeeKey], DimEmployee[ManagerKey]),
+        PATHCONTAINS(
+            PATH(DimEmployee[EmployeeKey], DimEmployee[ManagerKey]),
+            _ManagerEmployeeKey
+        )
+    )
+RETURN
+    [EmployeeKey] IN _DirectReports ||
+    [EmployeeKey] = _ManagerEmployeeKey
+```
+
+### Multi-Table RLS
+
+```dax
+// Sales table filtered by user's region
+// Must apply to the dimension table, not fact table
+// In DimRegion table:
+VAR _UserEmail = USERPRINCIPALNAME()
+VAR _UserRegions =
+    CALCULATETABLE(
+        VALUES(DimUserAccess[RegionKey]),
+        DimUserAccess[Email] = _UserEmail
+    )
+RETURN
+    [RegionKey] IN _UserRegions
+```
+
+---
+
+## Security Tables Pattern
+
+### User-Region Mapping Table
+
+```
+DimUserAccess
+├── UserAccessKey (PK)
+├── UserEmail
+├── RegionKey (FK)
+├── AccessLevel (Read/Write)
+└── ValidFrom / ValidTo
+```
+
+```dax
+// RLS filter expression
+VAR _User = USERPRINCIPALNAME()
+RETURN
+    COUNTROWS(
+        FILTER(
+            DimUserAccess,
+            DimUserAccess[UserEmail] = _User &&
+            DimUserAccess[RegionKey] = [RegionKey] &&
+            DimUserAccess[ValidTo] >= TODAY()
+        )
+    ) > 0
+```
+
+### Security with Effective Dating
+
+```dax
+// Time-based security (access expires)
+VAR _User = USERPRINCIPALNAME()
+VAR _Today = TODAY()
+RETURN
+    COUNTROWS(
+        FILTER(
+            DimUserAccess,
+            DimUserAccess[UserEmail] = _User &&
+            DimUserAccess[RegionKey] = [RegionKey] &&
+            DimUserAccess[ValidFrom] <= _Today &&
+            (_Today <= DimUserAccess[ValidTo] || ISBLANK(DimUserAccess[ValidTo]))
+        )
+    ) > 0
+```
+
+---
+
+## Performance-Optimized RLS
+
+### Pre-filtered Security Table
+
+```dax
+// Instead of complex filter in RLS, use pre-computed table
+// DimUserFilteredRegions: One row per user-region combination
+VAR _User = USERPRINCIPALNAME()
+RETURN
+    [RegionKey] IN
+    CALCULATETABLE(
+        VALUES(DimUserFilteredRegions[RegionKey]),
+        DimUserFilteredRegions[UserEmail] = _User
+    )
+```
+
+### Avoid LOOKUPVALUE in RLS
+
+```dax
+// BAD: LOOKUPVALUE in every row evaluation
+[RegionKey] = LOOKUPVALUE(DimUser[RegionKey], DimUser[Email], USERPRINCIPALNAME())
+
+// GOOD: Use IN with VALUES
+VAR _User = USERPRINCIPALNAME()
+RETURN
+    [RegionKey] IN CALCULATETABLE(
+        VALUES(DimUser[RegionKey]),
+        DimUser[Email] = _User
+    )
+```
+
+### Bi-directional Filtering Consideration
+
+```dax
+// If relationship is bi-directional, RLS on one table filters both
+// Consider setting relationship to single direction for security tables
+// Then explicitly cross-filter in measures when needed
+```
+
+---
+
+## Testing RLS in DAX
+
+### Test as Another User
+
+```dax
+// Measure to simulate RLS for testing
+Sales_AsUser =
+VAR _TestUser = "john.smith@company.com"  // Replace with test user
+VAR _AllowedRegions =
+    CALCULATETABLE(
+        VALUES(DimUserAccess[RegionKey]),
+        DimUserAccess[UserEmail] = _TestUser
+    )
+RETURN
+    CALCULATE(
+        [Sales],
+        DimRegion[RegionKey] IN _AllowedRegions
+    )
+```
+
+### RLS Debug Measure
+
+```dax
+// Shows what user sees for debugging
+_RLS_Debug =
+VAR _User = USERPRINCIPALNAME()
+VAR _AccessCount =
+    COUNTROWS(
+        FILTER(
+            DimUserAccess,
+            DimUserAccess[UserEmail] = _User
+        )
+    )
+RETURN
+    "User: " & _User &
+    " | Access Rows: " & _AccessCount &
+    " | Regions: " & CONCATENATEX(
+        FILTER(DimUserAccess, DimUserAccess[UserEmail] = _User),
+        DimUserAccess[RegionName],
+        ", "
+    )
+```
+
+---
+
+## Object-Level Security (OLS)
+
+### Restricting Column Access
+
+OLS is configured in the model (not DAX), but here's how to handle hidden data in measures:
+
+```dax
+// Measure that respects OLS
+// If Salary column is restricted, this returns blank for unauthorized users
+Salary Total =
+VAR _Result = SUM(FactEmployees[Salary])
+RETURN
+    IF(ISNUMBER(_Result), _Result, BLANK())
+```
+
+### Conditional Column Display
+
+```dax
+// Show value only if user has access (via security table)
+Salary Display =
+VAR _User = USERPRINCIPALNAME()
+VAR _HasAccess =
+    CALCULATE(
+        COUNTROWS(DimUserPermissions),
+        DimUserPermissions[UserEmail] = _User,
+        DimUserPermissions[Permission] = "ViewSalary"
+    ) > 0
+RETURN
+    IF(_HasAccess, [Salary Total], BLANK())
+```
+
+---
+
+## Dynamic Security Patterns
+
+### Role-Based Access
+
+```dax
+// Different data based on user's role
+Sales_RoleBased =
+VAR _User = USERPRINCIPALNAME()
+VAR _Role = LOOKUPVALUE(DimUser[Role], DimUser[Email], _User)
+RETURN
+    SWITCH(
+        _Role,
+        "Admin", [Sales],  // See all
+        "Manager", CALCULATE([Sales], DimRegion[Region] = LOOKUPVALUE(DimUser[Region], DimUser[Email], _User)),
+        "Sales Rep", CALCULATE([Sales], DimSalesRep[Email] = _User),
+        BLANK()  // No access
+    )
+```
+
+### Attribute-Based Access Control (ABAC)
+
+```dax
+// Access based on multiple attributes
+VAR _User = USERPRINCIPALNAME()
+VAR _UserDept = LOOKUPVALUE(DimUser[Department], DimUser[Email], _User)
+VAR _UserLevel = LOOKUPVALUE(DimUser[Level], DimUser[Email], _User)
+VAR _UserRegion = LOOKUPVALUE(DimUser[Region], DimUser[Email], _User)
+RETURN
+    -- Level 5+ sees all
+    _UserLevel >= 5 ||
+    -- Same department and region
+    ([Department] = _UserDept && [Region] = _UserRegion) ||
+    -- Specific cross-department access
+    [Department] IN {"Shared Services", "Corporate"}
+```
+
+---
+
+## Common Security Scenarios
+
+### Sales Rep Sees Own Customers
+
+```dax
+// On DimCustomer table
+VAR _User = USERPRINCIPALNAME()
+VAR _SalesRepKey =
+    LOOKUPVALUE(DimSalesRep[SalesRepKey], DimSalesRep[Email], _User)
+RETURN
+    [AssignedSalesRepKey] = _SalesRepKey ||
+    ISBLANK(_SalesRepKey)  // Allow if user not found (for admins)
+```
+
+### Regional Manager Sees Region + Corporate
+
+```dax
+// On DimRegion table
+VAR _User = USERPRINCIPALNAME()
+VAR _UserRegion =
+    LOOKUPVALUE(DimUser[Region], DimUser[Email], _User)
+RETURN
+    [Region] = _UserRegion ||
+    [Region] = "Corporate" ||
+    ISBLANK(_UserRegion)
+```
+
+### Time-Limited Project Access
+
+```dax
+// On DimProject table
+VAR _User = USERPRINCIPALNAME()
+VAR _Today = TODAY()
+RETURN
+    COUNTROWS(
+        FILTER(
+            DimProjectAccess,
+            DimProjectAccess[ProjectKey] = [ProjectKey] &&
+            DimProjectAccess[UserEmail] = _User &&
+            DimProjectAccess[StartDate] <= _Today &&
+            DimProjectAccess[EndDate] >= _Today
+        )
+    ) > 0
+```
+
+---
+
+## Security Best Practices
+
+### 1. Always Filter on Dimensions
+
+```dax
+// GOOD: RLS on dimension table
+// Fact table inherits filter through relationship
+// On DimRegion:
+[Region] IN {"North", "South"}
+
+// BAD: RLS on fact table (slow)
+// On FactSales:
+RELATED(DimRegion[Region]) IN {"North", "South"}
+```
+
+### 2. Test with Different Users
+
+```dax
+// Create test measure before deploying
+_Test_Security =
+VAR _TestUser = "test.user@company.com"
+RETURN
+    CALCULATE(
+        [Sales],
+        -- Simulate the RLS filter
+        DimRegion[Region] IN CALCULATETABLE(
+            VALUES(DimUserAccess[Region]),
+            DimUserAccess[UserEmail] = _TestUser
+        )
+    )
+```
+
+### 3. Provide Fallback for Admins
+
+```dax
+// Always allow admin role
+VAR _User = USERPRINCIPALNAME()
+VAR _IsAdmin = _User IN {"admin@company.com", "power.bi.admin@company.com"}
+VAR _UserRegions = CALCULATETABLE(...)
+RETURN
+    _IsAdmin || [RegionKey] IN _UserRegions
+```
+
+### 4. Log Security Filters
+
+```dax
+// Measure to audit what users see
+_Security_Audit =
+"User: " & USERPRINCIPALNAME() &
+" | Rows Visible: " & COUNTROWS(ALLSELECTED(FactSales)) &
+" | Timestamp: " & NOW()
+```
+
+---
+
+## Troubleshooting
+
+| Issue | Cause | Fix |
+|-------|-------|-----|
+| All data visible | RLS not applied | Check role membership |
+| No data visible | Filter too restrictive | Verify user in security table |
+| Slow with RLS | Complex RLS expression | Simplify, use pre-computed table |
+| Inconsistent results | Bi-directional filters | Review relationship directions |
+| Error with USERPRINCIPALNAME | Running in Desktop | Use "View as Role" feature |
+
+---
+
+## Setup Checklist
+
+- [ ] Create security mapping table (user → access)
+- [ ] Define RLS role in model
+- [ ] Write filter expression on dimension table(s)
+- [ ] Test with "View as Role" in Desktop
+- [ ] Test with actual users in Service
+- [ ] Verify totals match expected (no data leakage)
+- [ ] Document security requirements
+- [ ] Set up monitoring for access patterns

package/library/snippets/dax/text-and-formatting.md

@@ -0,0 +1,316 @@
+# Text and Formatting Patterns
+
+## Overview
+DAX patterns for text manipulation, concatenation, and dynamic formatting in Power BI measures.
+
+---
+
+## Text Concatenation
+
+### Basic Concatenation
+```dax
+-- Using & operator
+FullName = [FirstName] & " " & [LastName]
+
+-- Using CONCATENATE (only 2 arguments)
+FullName = CONCATENATE([FirstName], CONCATENATE(" ", [LastName]))
+
+-- Using COMBINEVALUES (better for relationships)
+CustomerKey = COMBINEVALUES("-", [Region], [CustomerID])
+```
+
+### Dynamic Titles
+```dax
+ChartTitle =
+VAR _SelectedYear = SELECTEDVALUE('Date'[Year], "All Years")
+VAR _SelectedRegion = SELECTEDVALUE(Region[Name], "All Regions")
+RETURN
+    "Sales for " & _SelectedRegion & " - " & _SelectedYear
+
+-- With metric selection
+DynamicTitle =
+VAR _Metric = SELECTEDVALUE(MetricSelector[Metric], "Sales")
+RETURN
+    _Metric & " by Region"
+```
+
+### Conditional Text
+```dax
+StatusText =
+VAR _Variance = [Actual] - [Budget]
+RETURN
+    IF(_Variance >= 0, "On Target", "Below Target")
+
+-- With emoji/symbols
+TrendIndicator =
+VAR _Change = [MoM Growth %]
+RETURN
+    SWITCH(
+        TRUE(),
+        _Change > 0.05, "▲ Strong",
+        _Change > 0, "▲ Up",
+        _Change = 0, "► Flat",
+        _Change > -0.05, "▼ Down",
+        "▼ Weak"
+    )
+```
+
+---
+
+## Number Formatting
+
+### FORMAT Function
+```dax
+-- Currency
+FormattedSales = FORMAT([Total Sales], "$#,##0.00")
+
+-- Percentage
+FormattedGrowth = FORMAT([Growth Rate], "0.0%")
+
+-- Thousands/Millions
+FormattedShort =
+VAR _Value = [Total Sales]
+RETURN
+    SWITCH(
+        TRUE(),
+        _Value >= 1000000000, FORMAT(_Value / 1000000000, "#,##0.0") & "B",
+        _Value >= 1000000, FORMAT(_Value / 1000000, "#,##0.0") & "M",
+        _Value >= 1000, FORMAT(_Value / 1000, "#,##0.0") & "K",
+        FORMAT(_Value, "#,##0")
+    )
+
+-- Custom decimal places
+FormattedValue = FORMAT([Value], "#,##0.00")
+
+-- Leading zeros
+FormattedID = FORMAT([ID], "00000")  -- 00123
+```
+
+### Date Formatting
+```dax
+-- Full date
+FormattedDate = FORMAT([Date], "MMMM D, YYYY")  -- January 15, 2024
+
+-- Short date
+ShortDate = FORMAT([Date], "MM/DD/YYYY")
+
+-- Month-Year
+MonthYear = FORMAT([Date], "MMM YYYY")  -- Jan 2024
+
+-- Day name
+DayName = FORMAT([Date], "DDDD")  -- Monday
+
+-- ISO format
+ISODate = FORMAT([Date], "YYYY-MM-DD")
+
+-- Quarter
+QuarterText = "Q" & FORMAT([Date], "Q YYYY")  -- Q1 2024
+```
+
+### Conditional Formatting Values
+```dax
+-- For use with conditional formatting
+VarianceColor =
+VAR _Variance = [Actual] - [Budget]
+RETURN
+    IF(_Variance >= 0, 1, -1)
+
+-- Traffic light (1, 2, 3)
+PerformanceLevel =
+VAR _Achievement = DIVIDE([Actual], [Target])
+RETURN
+    SWITCH(
+        TRUE(),
+        _Achievement >= 1, 1,      -- Green
+        _Achievement >= 0.8, 2,    -- Yellow
+        3                          -- Red
+    )
+```
+
+---
+
+## Dynamic Labels
+
+### KPI Card Labels
+```dax
+SalesWithLabel =
+VAR _Sales = [Total Sales]
+VAR _FormattedSales = FORMAT(_Sales, "$#,##0")
+RETURN
+    "Total Sales: " & _FormattedSales
+
+-- With comparison
+SalesComparison =
+VAR _Current = [Total Sales]
+VAR _Previous = [Total Sales PY]
+VAR _Change = _Current - _Previous
+VAR _Pct = DIVIDE(_Change, _Previous)
+RETURN
+    FORMAT(_Current, "$#,##0") &
+    " (" & IF(_Change >= 0, "+", "") & FORMAT(_Pct, "0.0%") & " vs PY)"
+```
+
+### Selection Labels
+```dax
+SelectionSummary =
+VAR _SelectedProducts = COUNTROWS(VALUES(Product[Name]))
+VAR _TotalProducts = COUNTROWS(ALL(Product[Name]))
+RETURN
+    IF(
+        _SelectedProducts = _TotalProducts,
+        "All Products",
+        _SelectedProducts & " of " & _TotalProducts & " Products"
+    )
+```
+
+### Period Labels
+```dax
+PeriodLabel =
+VAR _MinDate = MIN('Date'[Date])
+VAR _MaxDate = MAX('Date'[Date])
+RETURN
+    FORMAT(_MinDate, "MMM D, YYYY") & " - " & FORMAT(_MaxDate, "MMM D, YYYY")
+
+-- Relative period
+RelativePeriod =
+VAR _Days = DATEDIFF(MAX('Date'[Date]), TODAY(), DAY)
+RETURN
+    SWITCH(
+        TRUE(),
+        _Days = 0, "Today",
+        _Days = 1, "Yesterday",
+        _Days <= 7, _Days & " days ago",
+        _Days <= 30, ROUNDUP(_Days / 7, 0) & " weeks ago",
+        FORMAT(MAX('Date'[Date]), "MMM D, YYYY")
+    )
+```
+
+---
+
+## Text Extraction and Manipulation
+
+### SEARCH and MID
+```dax
+-- Extract domain from email
+EmailDomain =
+VAR _Email = [Email]
+VAR _AtPos = SEARCH("@", _Email, 1, 0)
+RETURN
+    IF(_AtPos > 0, MID(_Email, _AtPos + 1, 100), BLANK())
+
+-- Extract first word
+FirstWord =
+VAR _Text = [FullName]
+VAR _SpacePos = SEARCH(" ", _Text, 1, LEN(_Text) + 1)
+RETURN
+    LEFT(_Text, _SpacePos - 1)
+```
+
+### Text Cleaning
+```dax
+-- Remove extra spaces (calculated column)
+CleanedName = TRIM([Name])
+
+-- Proper case (calculated column)
+ProperName =
+VAR _Text = LOWER([Name])
+RETURN
+    UPPER(LEFT(_Text, 1)) & MID(_Text, 2, LEN(_Text))
+
+-- Replace characters (calculated column)
+CleanPhone = SUBSTITUTE(SUBSTITUTE([Phone], "-", ""), " ", "")
+```
+
+### UNICHAR for Symbols
+```dax
+-- Common symbols
+CheckMark = UNICHAR(10004)        -- ✔
+CrossMark = UNICHAR(10006)        -- ✖
+UpArrow = UNICHAR(9650)           -- ▲
+DownArrow = UNICHAR(9660)         -- ▼
+RightArrow = UNICHAR(9658)        -- ►
+Star = UNICHAR(9733)              -- ★
+Circle = UNICHAR(9679)            -- ●
+
+-- Usage in measure
+StatusIcon =
+VAR _Status = [Status]
+RETURN
+    SWITCH(
+        _Status,
+        "Complete", UNICHAR(10004),
+        "In Progress", UNICHAR(9679),
+        "Not Started", UNICHAR(10006),
+        ""
+    )
+```
+
+---
+
+## Ranking and Position Text
+
+### Ordinal Numbers
+```dax
+OrdinalRank =
+VAR _Rank = [Rank]
+VAR _Suffix =
+    SWITCH(
+        TRUE(),
+        MOD(_Rank, 100) IN {11, 12, 13}, "th",
+        MOD(_Rank, 10) = 1, "st",
+        MOD(_Rank, 10) = 2, "nd",
+        MOD(_Rank, 10) = 3, "rd",
+        "th"
+    )
+RETURN
+    _Rank & _Suffix
+
+-- Result: 1st, 2nd, 3rd, 4th, 11th, 12th, 21st, etc.
+```
+
+### Ranking Label
+```dax
+RankLabel =
+VAR _Rank = [ProductRank]
+VAR _Total = COUNTROWS(ALL(Product))
+RETURN
+    "#" & _Rank & " of " & _Total
+```
+
+---
+
+## Multi-line Text
+
+### Line Breaks
+```dax
+-- Using UNICHAR(10) for line break
+MultiLineKPI =
+VAR _Sales = FORMAT([Total Sales], "$#,##0")
+VAR _Units = FORMAT([Total Units], "#,##0")
+VAR _Avg = FORMAT([Avg Order Value], "$#,##0.00")
+RETURN
+    "Sales: " & _Sales & UNICHAR(10) &
+    "Units: " & _Units & UNICHAR(10) &
+    "AOV: " & _Avg
+
+-- Address formatting
+FullAddress =
+[Street] & UNICHAR(10) &
+[City] & ", " & [State] & " " & [PostalCode]
+```
+
+---
+
+## Performance Note
+
+- FORMAT() returns text - can't be used in further calculations
+- Use separate measures: one for value (number), one for display (text)
+- Text measures increase model size - use sparingly
+- Consider using Power BI's built-in formatting where possible
+
+---
+
+## Related Resources
+
+- [KPIs and Metrics](./kpis-and-metrics.md)
+- [DAX Skill](../../skills/dax/SKILL.md)