Information Map Tasks

Summary
Add a Security Associations Table to an Information Map
Create an Identity-Driven Filter
Assign the Filter as a Prefilter

Summary

The following figure depicts the row-level permission aspects of information map design.
Information Map Design for Row-Level Permissions
Information Map Design for Row-Level Permissions
The following topics provide generic instructions for each of these four tasks.

Add a Security Associations Table to an Information Map

In order to make the security relationship information that you added to the data model available for filtering, you must incorporate that information in an information map. One way to do this is to add a table that expresses the relationship between users and data.
Note: This type of table is called a security associations table. For more information, see Data Modeling for BI Row-Level Permissions.
To enhance an existing information map to include a new security associations table:
  1. In SAS Management Console, register the new security associations table in the metadata.
  2. In SAS Information Map Studio:
    1. Add the table to your information map as a data source.
    2. On the Relationships tab, define an inner join that connects an identifier column in the security associations table with a corresponding column in the target table (or in an intermediate dimension).
    3. To make the security associations table a required table, select Editthen selectPropertiesthen selectInformation Map, and then select the Required Tables tab in the Information Map Properties dialog box. In the Available tables list, select the table that you are using as a security associations table. Use the arrow button to move the table to the Required tables list. Click OK.
Note: We recommend that you do not create data items from columns in the security associations table. Excluding these column references from the information map prevents their values from surfacing when reports are created in SAS Web Report Studio.

Create an Identity-Driven Filter

To create a filter that is based on an identity-driven property, perform these steps in SAS Information Map Studio:
  1. Open the information map, save the information map, and select the Design tab. Select Insertthen selectNew Filter to open the New Filter dialog box.
  2. Enter a name for the filter and select a character data item (or click Edit Data Item and use the expression editor to define a character item).
  3. In the New Filter dialog box, from the Enter value(s) drop-down list, select Derive identity values (for row-level permissions).
    Note: Not all conditions support derived identity values. Make sure that the selection in the Condition drop-down list is appropriate.
    The examples column in the New Filter dialog box shows what your values are for each property.
    • The SAS.PersonName value corresponds to the Name field on the General tab of your user definition. This is not always the same as the value of the Display Name field.
    • The SAS.IdentityGroupName value is usually blank and isn't often useful.
    • Although the SAS.IdentityGroups property displays only one value, this property actually returns a list of the groups and roles that you belong to.
    • The SAS.ExternalIdentity value is populated only in certain circumstances.
  4. Select the row for the identity-driven property that you want to use in the filter.
    Note: Not all conditions support all identity-driven properties. Make sure that the selection in the Condition drop-down list is appropriate.
    Note: If you use the IdentityGroups property, set the condition to Is equal to or Is not equal to. For this property, these conditions are converted to an IN (or, NOT IN) statement when the query executes.
  5. Select the Hide from user check box at the bottom of the Definition tab. This prevents the filter from being surfaced (and potentially removed) when reports are created in SAS Web Report Studio.
  6. Click OK. The new filter is now available for use in the current information map.

Assign the Filter as a Prefilter

To use a filter for security purposes, assign the filter as a general prefilter or as an authorization-based prefilter.
To assign a filter as a general prefilter:
  1. Open the information map and select Editthen selectPropertiesthen selectInformation Map.
    Tip
    If this action is not available, save the information map and try again.
  2. In the Information Map Properties dialog box, select the General Prefilters tab.
  3. In the Selected filters list (the right-hand panel), select your security associations table.
  4. In the Available filters list, select the filter and then use the arrow button to move the filter to the Selected filters list. Click OK.
To assign a filter as an authorization-based prefilter:
  1. Open the information map and select Toolsthen selectAuthorization to open the Authorization dialog box.
    Tip
    If this action is not available, save the information map and try again.
  2. In the Users and Groups list, select (or add) the identity that should be subject to the filter.
  3. Make sure that the correct user or group is selected. Add an explicit white check box grant of the Read permission.
  4. Click Add Condition to open the Row-Level Permission Condition dialog box.
  5. In the Selected filters list (the right-hand panel), select the table that you are using as a security associations table.
  6. In the Available filters list, select the filter and then use the arrow button to move the filter to the Selected filters list. Click OK.
  7. In the Authorization dialog box, click Close.
  8. To make your changes take effect, save the information map.
Copyright © SAS Institute Inc. All rights reserved.