Security filters

How user access is defined

If you do not set up a security filter, any user who has access to the monitor model data can see all instances of the data. If, however, you set up a security filter, you can limit which instances are available to which users.

You define which users have access to the instance data based on user and group names from the user registry. Each security filter is defined for a specific user or group. The supported user registries for security filters are federated repositories (file-based), federated repositories (LDAP), and stand-alone LDAP registry.

The security filter itself is an expression based on a certain metric. As shown in the following examples, the metric expression can use a static value or it can use a dynamic value based on attributes of the logged-in user.

• Static value example

  A certain group of users (Adjusters, for example) has access to only those instances in which the ClaimType metric equals "LIABILITY".

  When a member of the Adjusters group logs in, that member sees a filtered view of the data (only the liability claim instances).

• Dynamic value example

  A certain group of users (Adjusters, for example) has access to only those instances in which the ClaimOwner metric equals the user ID of the group member.

  For example, when PatrickL, who is a member of the Adjusters group, logs in, he sees only those instances in which he is listed as the claim owner.

If your organization keeps entitlement information in an external system application, you can also write your own plug-in to integrate Monitor fine-grained security filters with your external system application. You might also need to write your own plug-in for more advanced security filters. For example, if a security filter requires information from an LDAP registry and a separate database lookup, you can write a plug-in to manage this logic.