Filtering Techniques :: SAS(R) 9.4 Guide to BI Row-Level Permissions

Pre-Screening Methods

You define BI row-level permissions in filters that you assign to tables within an information map. To ensure that target data is pre-screened by a filter before any other criteria are applied, incorporate that filter into an information map as a prefilter. Use either of the following methods:

To use a filter as a general prefilter, attach it to an information map as part of the information map's properties. The filter applies to everyone. The filter functions as an additional restriction and operates independently of any access controls that might grant broader access.
To use a filter as an authorization-based prefilter, assign it to users or groups as part of an information map's access controls. The filter is evaluated as a permission condition. When permission conditions are used, there are three possible authorization decision outcomes for a request to view data:

Grant

The requesting user can access all rows.

Deny

The requesting user cannot access any rows (and will get an error message).

Conditional Grant

The requesting user can access only those rows that meet specified SQL filtering conditions.

Filter Types

BI row-level permissions can use the following types of filtering:

static filtering

compares values in the target data to a specified value. This enables you to implement a specific, fixed rule such as "Joe can see his salary information."

dynamic filtering

compares values in the target data to a value that is dynamically derived based on the identity of each requesting user. This enables you to implement a rule such as "Each user can see his or her own salary information." See Identity-Driven Properties.

Summary of Filtering Techniques

Summary of BI Row-Level Filtering Techniques
Filter Type	Pre-screening Method
Filter Type	General Prefilter	Authorization-Based Prefilter
Dynamic (identity-driven)	Per-person access distinctions for everyone. One filter, attached directly to an information map. Example: "everyone can see his or her own salary".	Per-person access distinctions for every member of a particular group. One filter, assigned to a group in an access control for the information map. Example: "everyone in GroupA can see his or her own salary".
Static (fixed value)	One fixed subset for everyone. One filter, attached directly to an information map. Example: "everyone can see global totals".	A few distinct subsets, each for a particular group. Several filters, each assigned to a group in an access control for the information map. Example: "everyone in GroupA can see totals for the West region; everyone in GroupB can see totals for the East region".

Note: A static general prefilter is not a true row-level technique because it does not yield different results for different users.