Implementation and Testing

To implement the filtering for this example:
  1. Create an information map that includes the necessary data and relationships.
    1. In SAS Information Map Studio, open a new information map.
    2. Insert the target table and the security associations table as data sources. In this example, the target table (ORGANIZATION_DIM) contains salary data, and the security associations table (SECURITY_ASSOC) contains a representation of the company's reporting relationships.
    3. On the Design tab, add the data items that you need from the ORGANIZATION_DIM table (insert the SALARY, EMPLOYEE_ID, and EMPLOYEE_NAME columns).
      Note: It is a good practice to not create any data items from the SECURITY_ASSOC table.
    4. On the Relationships tab, join the two tables on EMPLOYEE_ID.
    5. Save the new information map to an appropriate folder.
    6. To make SECURITY_ASSOC a required table, select Editthen selectPropertiesthen selectInformation Map. In the Information Map Properties dialog box, select the Required Tables tab. In the Available tables list, select the SECURITY_ASSOC table. Use the arrow button to move the table to the Required tables list, and then click OK.
  2. Create a filter that subsets data by comparing each user's SAS.PersonName value to the PARENT_EMPLOYEE_NAME values in the security associations table.
    1. Select Insertthen selectNew Filter to open the New Filter dialog box.
    2. Enter a name such as byPersonName for the filter, and then click Edit Data Item.
    3. In the Edit Expression dialog box, select Character from the Type drop-down list. On the Data Sources tab, navigate to Physical Datathen selectSECURITY_ASSOCthen selectPARENT_EMPLOYEE_NAME, and then click Add to Expression.
    4. Click Validate Expression, and then click OK twice.
    5. In the New Filter dialog box, from the Enter value(s) drop-down list, select Derive identity values (for row-level permissions). A table of identity-driven properties becomes available.
      Note: Make sure that the value in the Condition drop-down list is Is equal to.
    6. In the table of properties, select the SAS.PersonName row.
    7. Click OK. The byPersonName filter is now available for use in the information map.
  3. Assign the filter as a general prefilter:
    1. Select Editthen selectPropertiesthen selectInformation Map.
    2. In the Information Map Properties dialog box, select the General Prefilters tab.
    3. In the Selected filters box, select the SECURITY_ASSOCIATIONS table.
    4. In the Available filters box, select the byPersonName filter.
    5. Click the right arrow button to assign the byPersonName filter to the SECURITY_ASSOC table, and then click OK.
  4. Save the information map.
Administrators can test by logging on to SAS Information Map Studio and running test queries. To verify that the filter is working as expected, log on using different accounts. For example:
  • For a user who is not included in the security associations table, no salaries should be retrieved.
  • For the president of the company, all salaries should be retrieved. Note that by default only 100 rows of data are returned when you test an information map.
  • For a mid-level manager, a subset of salaries should be retrieved.
To run a test query from within SAS Information Map Studio:
  1. Select Toolsthen selectRun a Test Query from the main menu.
  2. In the Test the Information Map dialog box, use the arrow button to add the Salary and Employee Name items to the Selected items box.
  3. Click Run Test and then examine the data in the Results dialog box.
  4. To test using another account, close the information map, and then select Filethen selectConnection Profile from the main menu.
Note: In the secure configuration, final verification must be performed from within SAS Web Report Studio.
Copyright © SAS Institute Inc. All rights reserved.