Security filter file definition
The security filter file includes required and optional parameters that define access for users and groups.
- "SecurityFilterArray"
- The required name of the array.
- "ModelID":"model_ID"
- A required parameter that specifies the fully qualified ID of the monitor model. The value can be up to 128 characters.
- "MCID":"monitor_context_ID"
- A required parameter that specifies the monitor context ID. The value can be up to 256 characters.
- "User": ["cn", "cn" . . .]
- A list of common names (CNs) of users.
- "UserDN": ["dn", "dn" . . . ]
- A list of distinguished names (DNs) of users.
- "Group": ["cn", "cn" . . .]
- A list of group CNs.
- "GroupDN": ["dn", "dn" . . . ]
- A list of group DNs.
- "DisplayIndication": [true or false]
- An optional parameter that controls whether widgets display an indication to the user that data is filtered.
- "FilterSet"
- A required parameter that includes the following information:
- "FilterOperator":"operator"
- A required parameter that describes the operator (for example, AND or OR) to use with the parameters in the filter array.
- "FilterArray"
- A required parameter that includes the following information:
- "FilterMetricID":"metric_ID"
- A required parameter that specifies the monitor metric that is being filtered.
- "FilterOperator":"operator"
- A required parameter that specifies the operator (for example, lessThan or equals) to use on the filter value.
- "FilterValue":"value"
- A required parameter that specifies the specific metric value to which the operator is applied. The value can be fixed or dynamic, as described in Fixed versus dynamic expressions.
- "FilterOperatorCaseSensitive": value
- A required parameter that specifies whether the case of the value should be considered. The possible values are true or false.
Your security filter file can include filters for multiple users and groups. Ensure that each grouping of monitor model ID, monitoring context ID, and user or group is listed only once in the security filter file. If there are multiple entries, the last entry will overwrite earlier entries for that user or group.
Fixed versus dynamic expressions
- Fixed value
In the following expression, the value (Joan Smith) is fixed:
Loan_Officer = 'Joan Smith'
When a user logs in, that user can see instances in which the loan officer is Joan Smith.
- Dynamic valueA dynamic expression can be based on user security information (such as user distinguished name), or it can be based on other attributes defined in an LDAP or federated repository database.
- In the following expression, the value is dynamic and is based
on a user security attribute:
Loan_Officer equals $account.parameters.userID
In this case, the instances are filtered so that only those instances in which the logged-in user is the loan officer are shown to that user. The expression indicates that the Loan_Officer metric must match the userID attribute of the logged-in user.
For example, if user RSmith logs in, he sees only the instances in which the loan officer is RSmith.
- In the following expression, the value is dynamic and is based
on a user attribute from a federated repository:
Loan_Officer equals $account.parameters.cn
In this example, the instances are filtered based on the Loan_Officer matching the LDAP common name (cn) attribute for the logged-in user.
- Dynamic values must be delimited with # signs in order to be recognized
as substitution expressions. Also, note that single quotation marks
should be included to indicate a string expression. For example, the following JSON fragment represents "Loan_Officer equals $account.parameters.cn":
"FilterMetricID":"Loan_Officer", "FilterOperator":"equals", "FilterValue":"'#$account.parameters.cn#'",
- In the following expression, the value is dynamic and is based
on a user security attribute:
Multiple conditions
As shown in Security filter sample file, the filter set for a user or group can contain one condition (as in the case of user PatrickL) or multiple conditions (as in the case of RSmith).