It is often necessary to make per-person access distinctions.
You can make a separate filter for each user (such as
where name="joe"
). However, if you have more than a
few users, this approach quickly becomes cumbersome. The more efficient
alternative is to create a dynamic filter (such as
where
name="&name;"
) that can discover and insert the correct,
user-specific value into the WHERE expression each time access is
requested.
To create a
dynamic filter, use an identity–driven property as the value
against which values in the target data are compared. This list explains
how the substitution works:
-
Each identity-driven property
corresponds to a characteristic (such as name, user ID, or external
identity).
-
Each user's values for
these characteristics (such as
joe
,
WinXP\joe
, or
607189
) are stored in the metadata.
-
The identity-driven
property is aware of the user ID with which a client authenticated
and can locate information that is stored in the metadata for that
user ID.
-
Each time it receives
a request, the identity-driven property substitutes a user-specific
value into the filter expression.
These are the most useful
identity-driven properties:
returns an authenticated
user ID, normalized to the uppercase format USERID or USERID@DOMAIN.
returns a site-specific value (for example, employee ID). This property
is often useful because its values are likely to match user information
in your data. An identity can have more than one external identity
value. However, only the first value is returned. Unlike the values
for other identity-driven properties, values for this property are
not always populated in the metadata. An external identity value functions
as a synchronization key in the user bulk load and synchronization
macros. For more information, see the
SAS Intelligence Platform: Security Administration Guide.
returns a list of the groups and roles that this identity belongs
to (directly, indirectly, or implicitly). The list contains the group
and role names, as displayed in the Name field
on the General tab for each group or role.
returns a user name, as displayed in the Name field on the user's General tab.
These identity-driven
properties are also supported:
returns a group name, as displayed in
the Name field on the group's General tab. If a user logs on with an ID that is stored
in a login on a group definition, then the name of the group that
owns that login is returned. If a user logs on with a user ID that
is not stored in the metadata, then the PUBLIC group is returned.
This property is useful
only in the unusual circumstance where a user logs on with the user
ID that is defined for a group login. In almost all cases, a user
logs on with a user ID that is defined for an individual user definition.
Not all applications allow a group to log on. This property is not
supported if client-side pooling is used.
returns a user name or group name,
as displayed in the Name field on the General tab for the user or group. This property is
a generalization of SAS.PersonName and SAS.IdentityGroupName.
Note: In certain circumstances,
a connecting identity might not have a value for the identity-driven
property that you are using. This can happen with the ExternalIdentity
property (sometimes), the IdentityGroupName property (almost always),
or the PersonName property (rarely). When a connecting user doesn't
have a value for the property that a query uses, an empty string is
returned.