SAS Institute. The Power to Know

SAS(R) 9.2 Intelligence Platform: Security Administration Guide

PDF | Purchase
Previous Page | Next Page

BI Row-Level Permissions

BI Row-Level Permissions, Identity-Driven Properties, and Missing Values

If a connecting user doesn't have a value for the identity-driven property that a query uses, the generated query uses an empty string as the substituted value for that identity. If the table against which the query filtering is performed includes empty string values in any rows, those rows are returned to the connecting identity.

CAUTION:
Returning data in a missing value situation is a new behavior in this release. In previous releases, a missing value generated an error and prevented any rows from being returned.   [cautionend]

Here are some alternatives for addressing missing values:

  • To ensure that data is returned for only those identities who have a value for the property that you are using, make sure that there aren't any empty string values in the target table's security key column.

  • To identify a set of rows that should be returned for identities who don't have a value for the property that you are using, specify an empty string value for those rows in the target table's security key column.

    Note:   If the target table is in a DBMS, the extra row must contain an empty (blank) character string (not a NULL value).  [cautionend]

  • To identify a situation in which retrieval is empty due to a missing value for the requesting user's identity-driven property, include a mapping for the empty string value (' ') in your security associations table and one extra row in your target table. In that row, use the security key that corresponds to the empty string value and include an appropriate error message. This enables the end user to distinguish between the following situations:

    • an empty result set that is caused by the target table not including any rows that match the user's value for an identity-driven property

    • an empty result set that is caused by the user not having any value for the identity-driven property that a query is using

    Note:   If the security associations table is in a DBMS, make sure that the missing value row in that table contains an empty (blank) character string, not a NULL value.  [cautionend]

    The following figure depicts an example:

    Example: Error Handling for a Missing External Identity Value

    [Example: Error Handling for a Missing External Identity Value]

Previous Page | Next Page | Top of Page

Copyright © 2009 by SAS Institute Inc., Cary, NC, USA. All rights reserved.