You can secure data at the value level by creating security filters.
A security filter defines which users, groups, or roles have access to specific data values in a
table. When the users work with dashboards, reports, or explorations that use the table, only the
data that is included in the security filter is visible to them.
There are business reasons for restricting access to data at such low level of granularity. For
example, you have confidential data that only specific users are allowed to see. Or, a table
contains many records, and your users need only a subset of those records.
Note: When you define data security filters, the filters are applied to the data server schema and
are reflected in new and existing data modules that use the schema as a source.
Before you begin
The schema metadata for the associated data server connections must be loaded, and you must have
write permissions for the connections and their signons.
Tables that are based on typed-in SQL bypass security filters. To avoid potential security risks,
specify the ibmcognos.typeinsqldisabled property on the data server connection
that your data module is based on. If an attempt is made to create an SQL-based table after this
property is specified, the table is not created. If this property is specified after an SQL-based
table was created, the query execution is stopped. For more information, see
Cognos-specific connection parameters.
About this task
This type of data security can be implemented only for data server sources.
Users who perform this task must belong to a role that has the Set data
security feature that is enabled in the administration interface. Otherwise, the table
context menus in the data module won't show the Set data security option that
is needed to perform this task. For more information, see Customizing the user interface.
Procedure
-
From Team content or My content, open a data
module.
The data module source must be a data server, or another source that includes data server
tables.
-
Click the Sources pane to expand it.
-
Expand the data server schema to view its tables.
-
From a table context menu , select Set data security, and click Add security
definition.
-
In the Set data security dialog box, create the filters by associating
specific users, groups, or roles with columns in the table. Your security definition can include one
or multiple filters.
-
In the Users, groups and roles pane, click the add icon . In your
authentication namespace, locate the users, groups, or roles for which you want to define access to
the table data, and select their associated check boxes. The selected names appear in the
Selected users, groups and roles pane.
-
In the Filters pane, from the Select a column
drop-down list, select one column, and click Create a filter. Specify the
required filter conditions, and click OK. You can add filters for other
columns in the same way.
- Use the via expression editor option from the Select
a column drop-down menu to add filters for multiple columns at once.
When this option is used, the filter can reference columns from other tables in the data module,
not only the table that was selected in step 4. The syntax to reference another table uses an
IN
clause with an expression that contains the required filter condition. A
CASE
statement is the easiest one to use as a condition, but you can also use an
IF THEN ELSE
statement in this role. When the CASE
statement is
used in the IN
predicate of the filter condition, a subquery is generated that does
not require to be joined to the originally selected table (step 4).
For example, if the 'employee' table needs to be secured by using the 'department' table, the
following filter expression can be used to set the column 'department_id' to '2':
department_id IN (CASE WHEN department.department_id=2 THEN department.department_id END)
-
Specify a name for the security definition, and click OK.
Tip: Your security definition can include one or multiple filters.
Results
The security definition is added to the Security filters tab in the
table properties. In the Sources pane, the padlock icon appears next
the table name.