Dimension rules

The dimension rules section of the object security rules file defines which users and groups can see specific monitor dimensions.

The sample object security rules file contains one dimension rules section. The rule is written against the loan_officer dimension of the Mortgage_Lending_BAM_MC monitor context. The dimension is visible to users RSmith and PatrickL but is hidden from the user with the distinguished name (DN) of JaneDoe2 and from the PayrollEmployees group.

{
    "ObjectSecurityArray": [
        {
            "ModelID": "MortgageLendingBAMShowcase",
            "DimensionRules": [
                {
                    "MCID": "Mortgage_Lending_BAM_MC",
                    "CubeDimensionRules": [
                        {
                            "DimensionIDs": [
                              "loan_officer"
                            ],
                            "VisibleTo": {
                              "Users": ["RSmith", "PatrickL"]
                            },
                            "HiddenFrom": {
					"UserDNs": ["uid=JaneDoe2,o=defaultWIMFileBasedRealm"],
                        	"Groups": ["PayrollEmployees"]
                            }
                        } 
                    ]
               }
           ]
       }
   ]
}

The attributes of the Dimension rules section are described in the following list:

"DimensionRules": A required attribute that signals the beginning of an array of dimension rules for the model.
"MCID":"monitor_context_ID": A required attribute that specifies the monitor context ID. The value can be up to 256 characters.
"CubeDimensionRules": A required attribute that signals the beginning of an array of dimension rules for the monitor context.
"DimensionIDs":"dimension_ID", "dimension_ID" , "dimension_ID" . . .: A required attribute that includes one or more dimension IDs to which the rule applies.
"VisibleTo":: A required attribute that includes the names of users and groups who have permission to see the dimension data.
VisibleTo is required if HiddenFrom is not specified; otherwise, it is optional.
"HiddenFrom":: A required attribute that includes the names of users and groups who do not have permission to see the dimension data.
HiddenFrom is required if VisibleTo is not specified; otherwise, it is optional.

Use one or more of the following parameters as needed with VisibleTo and HiddenFrom. When the object security rules file is imported, all users and groups defined in the file are read:

"Users": ["cn", "cn" . . .]: A list of common names (CNs) of users.
"UserDNs": ["dn", "dn" . . . ]: A list of distinguished names (DNs) of users.
"Groups": ["cn", "cn" . . .]: A list of group CNs.
"GroupDNs": ["dn", "dn" . . . ]: A list of group DNs.

The following list describes how a user's visibility to a dimension depends on a combination of factors:

If a user is included in the "VisibleTo" list, the user has access to the dimension.
If a user is not included in the "VisibleTo" list but a group to which the user belongs is included in the list, the user has access to the dimension.
If a user is not included in the "VisibleTo" list and none of the groups to which the user belongs is included in the "VisibleTo" list, that user does not have access to the dimension.
If all the groups to which a user belongs are included in the "HiddenFrom" list, the user does not have access to the dimension, unless the user is explicitly included in the "VisibleTo" list.