The following figure depicts
how BI row-level permissions are incorporated when a report is generated.
In the figure, a user requests access to a report that includes data
for which row-level permissions have been defined dynamically. For
each step of the report-generation process, the figure depicts the
access control activities in the metadata layer.
The overall flow is
the same as for any other report: the report definition and underlying
information map are processed, a query is generated to retrieve the
data, and the report is displayed. These are the row-level aspects
of the process:
-
The information map
includes a filter that is assigned to a particular metadata identity.
This example uses an identity-driven property in a filter that is
based on each group member's employee ID. The filter is assigned
to a group to which Joe belongs. At run time, SAS Intelligent Query
Services uses information from the metadata repository to substitute
Joe's employee ID into the filter. The resolved, user-specific form
of the filter is incorporated into the generated query. The filter
is used to screen the target table before the rest of the generated
query runs.
-
The target data includes information
that corresponds to the filter. In this example, the corresponding
information consists of user-specific employee ID values in the EmpID
column within the Orders table. The data server uses these values
to filter the data as specified in the query that was generated by
SAS Intelligent Query Services.