The following figure depicts
how BI row-level permissions are incorporated when a report is generated.
In the figure, a user requests access to a report that includes data
for which row-level permissions have been defined dynamically. For
each step of the report-generation process, the figure depicts the
access control activities in the metadata layer.
The overall flow is
the same as for any other report: the report definition and underlying
information map are processed, a query is generated to retrieve the
data, and the report is displayed. These are the row-level aspects
of the process:
-
The information map includes a
filter that is assigned to a particular metadata identity. This example
uses an identity-driven property in a filter that is based on each
group member's employee ID. The filter is assigned to a group to
which Joe belongs. At run time, SAS Intelligent Query Services uses
information from the metadata repository to substitute Joe's employee
ID into the filter. The resolved, user-specific form of the filter
is incorporated into the generated query. The filter is used to screen
the target table before the rest of the generated query runs.
-
The target data includes information
that corresponds to the filter. In this example, the corresponding
information consists of user-specific employee ID values in the EmpID
column within the Orders table. The data server uses these values
to filter the data as specified in the query that was generated by
SAS Intelligent Query Services.