This example demonstrates
how a company could use row-level permissions to manage access to
employee data. The example includes these assumptions:
-
The target tables are registered
in the metadata repository.
-
Except where otherwise noted, users
have Read permission for the information maps that they are using.
-
The data model is a star schema
that contains employee and customer data. The security associations
table includes both direct and indirect reporting relationships.
-
In this example, the
business requirement is to enable managers to see salary information
for their employees. One way to meet this requirement is to use the
SAS.PersonName property. The following figure depicts this process
for a requesting user who is a high-level manager in the organization.
Each requesting user's
PersonName is used to filter the security associations table. This
yields a subset that includes only those rows with employees who report
(directly or indirectly) to the requesting user. That subset is inner
joined to the target table to limit retrieval of salary information.