Securing data

To secure data at the value level, create security filters in data modules.

A security filter defines which users, groups, or roles have access to specific data values in a table. When the users work with dashboards, reports, or explorations that use the table, only the data that is included in the security filter is visible to them.

There are business reasons for restricting access to data at such low level of granularity. For example, you have confidential data that only specific users are allowed to see. Or, a table contains many records, and your users need only a subset of those records.

Important: Security filters do not apply to tables created by the typed-in SQL option. To avoid potential security risks when using security filters, always use the ibmcognos.typeinsqldisabled property on the data server connection that your data module is based on. If an attempt is made to create an SQL-based table after this property is specified, the table is not created. If this property is specified after an SQL-based table was created, the query execution is stopped. For more information on how to apply this property to a data server connection, see ibmcognos.typeinsqldisabled.

Before you begin

The schema metadata for the associated data server connections must be loaded, and you must have write permissions for the connections and their signons.

About this task

This type of data security can be implemented only for data server sources.

Users who perform this task must belong to a role that has the Set data security feature that is enabled in the administration interface. Otherwise, the table context menus in the data module won't show the Set data security option that is needed to perform this task. For more information, see Customizing the user interface.

Important: Administrators should be selective and assign the permission for setting data security filters only to a limited group of trusted, knowledgeable users.

Procedure

  1. From Team content or My content, open a data module.
    The data module source must be a data server, or another source that includes data server tables.
  2. Click the Sources pane Source view icon. to expand it.
  3. Expand the data server schema to view its tables.
  4. From a table context menu Vertical actions menu icon, select Set data security, and click Add security definition.
  5. In the Set data security dialog box, create the filters by associating specific users, groups, or roles with columns in the table. Your security definition can include one or multiple filters.
    1. In the Users, groups and roles pane, click the add icon Icon to add a data source. In your authentication namespace, locate the users, groups, or roles for which you want to define access to the table data, and select their associated check boxes. The selected names appear in the Selected users, groups and roles pane.
    2. In the Filters pane, from the Select a column drop-down list, select one column, and click Create a filter. Specify the required filter conditions, and click OK. You can add filters for other columns in the same way.
    3. Use the via expression editor option from the Select a column drop-down menu to add filters for multiple columns at once.

      When this option is used, the filter can reference columns from other tables in the data module, not only the table that was selected in step 4. The syntax to reference another table uses an IN clause with an expression that contains the required filter condition. A CASE statement is the easiest one to use as a condition, but you can also use an IF THEN ELSE statement in this role. When the CASE statement is used in the IN predicate of the filter condition, a subquery is generated that does not require to be joined to the originally selected table (step 4).

      For example, if the 'employee' table needs to be secured by using the 'department' table, the following filter expression can be used to set the column 'department_id' to '2': 

      department_id IN (CASE WHEN department.department_id=2 THEN department.department_id END)
    4. Specify a name for the security definition, and click OK.
    Tip: Your security definition can include one or multiple filters.

Results

The security definition is added to the Security filters tab in the table properties. In the Sources pane, the padlock icon Secured table icon appears next the table name.

The security filters are applied to the data server schema and are reflected in new and existing data modules that use the schema as a source.