BI Row-Level Permissions

About BI Row-Level Permissions

BI row-level permissions limit access to SAS data and third-party relational data when it is accessed through an information map. The initials BI indicate that this is a business intelligence feature. BI row-level permissions are defined in information maps, mediated and enforced by SAS Intelligent Query Services, and surfaced when reports are viewed in applications such as SAS Web Report Studio.

CAUTION:: BI row-level permissions are defined within information maps, so these constraints do not provide comprehensive security for the underlying data sources. A user who accesses the data directly is not subject to the filters that are defined within information maps.
BI row-level permissions provide filtering whenever a SAS data set or third-party relational data is accessed through an information map. However, comprehensive security that incorporates this filtering requires a high-security configuration of SAS Web Report Studio. See Preliminary Tasks.

The following figure depicts how BI row-level permissions are incorporated when a report is generated. In the figure, a user requests access to a report that includes data for which row-level permissions have been defined dynamically. See Identity-Driven Properties. For each step of the report-generation process, the figure depicts the access control activities in the metadata layer.

Report-Generation Process

[Report-Generation Process]

The overall flow is the same as for any other report: the report definition and underlying information map are processed, a query is generated to retrieve the data, and the report is displayed. These are the row-level security aspects of the process:

The information map includes a filter that is assigned to a particular metadata identity. This example uses an identity-driven property in a filter that is based on each group member's employee ID. The filter is assigned to a group to which Joe belongs. At run time, SAS Intelligent Query Services uses information from the metadata repository to substitute Joe's employee ID into the filter. The resolved, user-specific form of the filter is incorporated into the generated query. The filter is used to screen the target table before the rest of the generated query runs.
The target data includes information that corresponds to the filter. In this example, the corresponding information consists of user-specific employee ID values in the EmpID column within the Orders table. The data server uses these values to filter the data as specified in the query that was generated by SAS Intelligent Query Services.

	Fine-Grained Controls for Data
	Filtering Techniques for BI Row-Level Permissions
	How to Implement BI Row-Level Permissions