In Strategy SQL Generation Engine, security filters prevent users from seeing certain data in the database. If two users with different security filters run the same report, they may get different results.
Within a project, a security filter may be specified for any user. Whenever users submit an element browse request or a report execution request, the security filter is applied.
A security filter contains the following parts:
Basic Example:
The examples used in this document have been created in the Strategy Tutorial installed with Strategy SQL Generation Engine.
A new user called Miami Manager is created with a security filter on CallCenter = Miami.
Running a report Call Center versus Revenue would return only Miami data if the Miami Manager is logged in:
The security filter is always applied although it is not defined in the report:
select a11.[CALL_CTR_ID] AS CALL_CTR_ID,
max(a12.[CENTER_NAME]) AS CENTER_NAME,
sum(a11.[TOT_DOLLAR_SALES]) as WJXBFS1
from [CITY_CTR_SLS] a11,
[LU_CALL_CTR] a12
where a11.[CALL_CTR_ID] = a12.[CALL_CTR_ID]
and a11.[CALL_CTR_ID] in (7)
group by a11.[CALL_CTR_ID]
Leverage Dimensionality in metrics for Security Filter users:
The security filter will apply on any level of data. Subsequently, a report Region vs. Revenue would return the same Metric values as mentioned above:
This time, the Strategy SQL Generation Engine groups by Region. But, as the security filter is applied, the results are the same as for Calling Center which is, in fact, the child attribute of Region:
select a12.[REGION_ID] AS REGION_ID,
max(a13.[REGION_NAME]) AS REGION_NAME,
sum(a11.[TOT_DOLLAR_SALES]) as WJXBFS1
from [CITY_CTR_SLS] a11,
[LU_CALL_CTR] a12,
[LU_REGION] a13
where a11.[CALL_CTR_ID] = a12.[CALL_CTR_ID] and
a12.[REGION_ID] = a13.[REGION_ID]
and a11.[CALL_CTR_ID] in (7)
group by a12.[REGION_ID]
To make sure that the security filter attribute is also leveraged at a higher level, filtering absolute in the metric dimensionality has to be defined. Filtering absolute raises the level of the filter to the target attribute defined in the metric dimensionality. In this case, the target attribute will be resolved at report level:
This report returns the proper results for Region Southeast because the security filter has been raised to region level as shown in the SQL below:
select a12.[REGION_ID] AS REGION_ID,
max(a13.[REGION_NAME]) AS REGION_NAME,
sum(a11.[TOT_DOLLAR_SALES]) as WJXBFS1
from [CITY_CTR_SLS] a11,
[LU_CALL_CTR] a12,
[LU_REGION] a13
where a11.[CALL_CTR_ID] = a12.[CALL_CTR_ID] and
a12.[REGION_ID] = a13.[REGION_ID]
and ((a12.[REGION_ID])
in (select s21.[REGION_ID]
from [LU_CALL_CTR] s21
where s21.[CALL_CTR_ID] in (7)))
group by a12.[REGION_ID]
To get data for a lower level attribute such as Employee, standard filtering can be used as the attribute level of the filter does not need to be raised because the data is aggregated on a lower level:
select a11.[EMP_ID] AS EMP_ID,
max(a12.[EMP_LAST_NAME]) AS EMP_LAST_NAME,
max(a12.[EMP_FIRST_NAME]) AS EMP_FIRST_NAME,
sum(a11.[TOT_DOLLAR_SALES]) as WJXBFS1
from [ITEM_EMP_SLS] a11,
[LU_EMPLOYEE] a12
where a11.[EMP_ID] = a12.[EMP_ID]
and a12.[CALL_CTR_ID] in (7)
group by a11.[EMP_ID]
How to avoid a user having changed the dimensionality of a report:
Using the previous example, it is indeed possible for users to raise and lower the dimensionality of their security filter. There may be some business cases where this should be avoided. This is possible in Strategy SQL Generation Engine.
Limits of Security Filter:
Having the enhanced security benefit causes also some limitations in how to use security filter:
