It is often necessary to make per-person access distinctions.
You can make a separate filter for each user (such as
where
name="joe"
). However, if you have more than
a few users, this approach quickly becomes cumbersome. The more efficient
alternative is to create a dynamic filter (such as
where
name="&name;"
) that can discover and insert
the correct, user-specific value into the WHERE expression each time
access is requested.
To create a
dynamic filter, use an identity–driven property as the value
against which values in the target data are compared. This list explains
how the substitution works:
-
Each identity-driven property corresponds
to a characteristic (such as name, user ID, or external identity).
-
Each user's values for
these characteristics (such as
joe
,
WinXP\joe
,
or
607189
) are stored in the metadata.
-
The identity-driven
property is aware of the user ID with which a client authenticated
and can locate information that is stored in the metadata for that
user ID.
-
Each time it receives
a request, the identity-driven property substitutes a user-specific
value into the filter expression.
These are the most useful
identity-driven properties:
SAS.Userid
returns an authenticated
user ID, normalized to the uppercase format USERID or USERID@DOMAIN.
SAS.ExternalIdentity
returns
a site-specific value (for example, employee ID). This property is
often useful because its values are likely to match user information
in your data. An identity can have more than one external identity
value. However, only the first value is returned. Unlike the values
for other identity-driven properties, values for this property are
not always populated in the metadata. An external identity value functions
as a synchronization key in the user bulk load and synchronization
macros.
For
more information, see External Identities in SAS Intelligence Platform: Security Administration Guide.
SAS.IdentityGroups
returns
a list of the groups and roles that this identity belongs to (directly,
indirectly, or implicitly). The list contains the group and role names,
as displayed in the Name field on the General tab
for each group or role.
SAS.PersonName
returns
a user name, as displayed in the Name field
on the user's General tab.
These identity-driven
properties are also supported:
SAS.IdentityGroupName
returns a group name, as displayed in
the Name field on the group's General tab.
If a user logs on with an ID that is stored in a login on a group
definition, then the name of the group that owns that login is returned.
If a user logs on with a user ID that is not stored in the metadata,
then the PUBLIC group is returned.
This property is useful
only in the unusual circumstance where a user logs on with the user
ID that is defined for a group login. In almost all cases, a user
logs on with a user ID that is defined for an individual user definition.
Not all applications allow a group to log on. This property is not
supported if client-side pooling is used.
SAS.IdentityName
returns a user name or group name,
as displayed in the Name field on the General tab
for the user or group. This property is a generalization of SAS.PersonName
and SAS.IdentityGroupName.
Note: In certain circumstances,
a connecting identity might not have a value for the identity-driven
property that you are using. This can happen with the ExternalIdentity
property (sometimes), the IdentityGroupName property (almost always),
or the PersonName property (rarely). When a connecting user doesn't
have a value for the property that a query uses, an empty string is
returned.