General Prefilter with SAS.IdentityGroups

Introduction
Map the Users to the Data
Create and Assign the Filter
Test the Filter

Introduction

This example subsets data in the SASHELP.PRDSALE table based on each requesting user’s metadata group memberships. The goal is to let each sales person see only rows for his or her region, and to let the sales manager see rows for two regions. The example assumes that the following tasks are already completed:
  • In SAS Information Map Studio, the PRDSALE table has been used to create an information map named Sales Map.
  • The following users and memberships exist in the SAS metadata.
    User
    Job
    Group Memberships
    UserA
    Sales person, East region
    EAST
    UserB
    Sales person, West region
    WEST
    UserC
    Sales manager, East and West regions
    EAST, WEST

Map the Users to the Data

In this example, the filtering is based on each user’s metadata group memberships. The example uses the SAS.IdentityGroups property, which exploits the metadata server’s knowledge of user-group relationships (so it is not necessary to model those relationships in an external table). Further, the names of the involved metadata groups (EAST and WEST) exactly match values in an existing column in the PRDSALE table (the REGION column), so no external table is needed create that mapping. For these reasons, this example does not use a separate security associations table.

Create and Assign the Filter

  1. In SAS Information Map Studio, open the information map and select Insertthen selectNew Filter.
  2. In the New Filter dialog box:
    1. Name the filter Region Memberships Filter.
    2. From the Data Items drop-down list, select Region.
    3. From the Condition drop-down list, select Is equal to.
    4. From the Enter values drop-down list, select Derive identity values.
    5. In the table of properties, select SAS.IdentityGroups.
    6. Click OK.
    Note: The value of your data item must exactly match the name of the metadata group.
    Note: The examples column shows values for the user that is currently logged on.
  3. From the main menu, select Editthen selectPropertiesthen selectInformation Map.
  4. On the General Prefilters tab, assign the new filter to the PRDSALES table.
    Note: A prefilter is a mandatory filter that pre-screens and subsets the data in its associated table before any other part of a query is run.

Test the Filter

  1. Log on to SAS Information Map Studio as UserA.
  2. Open the information map. Select Toolsthen selectRun a Test Query.
  3. Move all of the data items to the Selected items list. You do not have to select the filter because you made it required.
  4. Click Run Test. You will see only the EAST rows, because you are logged on as UserA.
  5. Log on as UserB and then as UserC, to see whether the results are as expected.
  6. (Optional) To test the filter in SAS Web Report Studio, log on and open the information map as a report.
Note: If you log on as someone who is not a member of any of the region groups, you will get no results, because none of your group memberships will match a value in the REGION column of the PRDSALE table. The general prefilter affects access for everyone (even unrestricted users), if the data is accessed through the information map. However, if anyone opens the PRDSALE table directly, without going through the information map, the filter is not applied so all rows are returned.
Copyright © SAS Institute Inc. All rights reserved.