|BI Row-Level Permissions|
If a connecting user doesn't have a value for the identity-driven property that a query uses, the generated query uses an empty string as the substituted value for that identity. If the table against which the query filtering is performed includes empty string values in any rows, those rows are returned to the connecting identity.
Here are some alternatives for addressing missing values:
To ensure that data is returned for only those identities who have a value for the property that you are using, make sure that there aren't any empty string values in the target table's security key column.
To identify a set of rows that should be returned for identities who don't have a value for the property that you are using, specify an empty string value for those rows in the target table's security key column.
Note: If the target table is in a DBMS, the extra row must contain an empty (blank) character string (not a NULL value).
To identify a situation in which retrieval is empty due to a missing value for the requesting user's identity-driven property, include a mapping for the empty string value (' ') in your security associations table and one extra row in your target table. In that row, use the security key that corresponds to the empty string value and include an appropriate error message. This enables the end user to distinguish between the following situations:
an empty result set that is caused by the target table not including any rows that match the user's value for an identity-driven property
an empty result set that is caused by the user not having any value for the identity-driven property that a query is using
Note: If the security associations table is in a DBMS, make sure that the missing value row in that table contains an empty (blank) character string, not a NULL value.
The following figure depicts an example:
Example: Error Handling for a Missing External Identity Value