It
is often necessary to make per-person access distinctions for the
rows in a table or the members in a dimension. You can make a separate
filter for each user (such as
where name="joe"
).
However, if you have more than a few users, this approach quickly
becomes cumbersome. The more efficient alternative is to create a
dynamic filter (such as
where name="&name;"
)
that can discover and insert the correct, user-specific value into
the WHERE expression each time access is requested.
To create a dynamic
filter, use an identity-driven property as the value against which
values in the target data are compared. This list explains how the
substitution works:
-
Each identity-driven
property corresponds to a characteristic (such as name, user ID, or
external identity).
-
Each user's values for
these characteristics (such as
joe
,
WinXP\joe
,
or
607189
) are stored in the metadata.
-
The identity-driven
property is aware of the user ID with which a client authenticated
and can locate information that is stored in the metadata for that
user ID.
-
Each time it receives
a request, the identity-driven property substitutes a user-specific
value into the filter expression.
Note: This discussion is not applicable
to the SPD Server, which has its own implementation of identity-based
filtering.
These are the most useful
identity-driven properties:
returns an authenticated
user ID, normalized to the uppercase format USERID or USERID@DOMAIN.
returns a site-specific
value (for example, employee ID). This property is often useful because
its values are likely to match user information in your data. An identity
can have more than one external identity value. However, only the
first value is returned. Unlike the values for other identity-driven
properties, values for this property are not always populated in the
metadata.
See External Identities.
returns a list of the
groups and roles that this identity belongs to (directly, indirectly,
or implicitly). The list contains the group and role names, as displayed
in the Name field on the General tab
for each group or role.
returns a user name,
as displayed in the Name field in the user's
general properties.
These identity-driven
properties are also supported:
returns a group name,
as displayed in the Name field in the group's
general properties. If a user logs on with an ID that is stored in
a login on a group definition, then the name of the group that owns
that login is returned. If a user logs on with a user ID that is not
stored in the metadata, then the PUBLIC group is returned.
This property is useful
only in the unusual circumstance where a user logs on with the user
ID that is defined for a group login. In almost all cases, a user
logs on with a user ID that is defined for an individual user definition.
Not all applications allow a group to log on. This property is not
supported if client-side pooling is used.
returns a user name
or group name, as displayed in the Name field
in the general properties for the user or group. This property is
a generalization of SAS.PersonName and SAS.IdentityGroupName.
Note: In certain circumstances,
a connecting identity might not have a value for the identity-driven
property that you are using. This can happen with the ExternalIdentity
property (sometimes), the IdentityGroupName property (almost always),
or the PersonName property (rarely). When a connecting user doesn't
have a value for the property that a query uses, an empty string is
returned or the query fails.