I need some advice on how to implement this in the universe. Please help.
Security table (2 columns) - Note: i’ll link this to some fact tables
userID_1 | Security Rule
Abi | Country = US and Cost center = 123
Teddy | Country = Canada
I need to pass the value of security rule dynamically in the where clause depending on the user id. I’ll be using @variable(‘BOUSER’) = security.userID_1.
The final query should be something like
Select fact.col1, fact.col2 from fact, security
where @variable(‘BOUSER’) = security.userID_1
and Country = US and Cost center = 123
You need not 2 but 3 columns in the security table considering your example .
[User_ID] [CountryID] [Cost CenterID]
If you join Country ID and Cost Center ID to the corresponding dimensions , you may end up resolving loops (Fct-Dim-Security). To avoid that , you may consider using separate Security table for each level of security… There are other options also … but this is just a suggestion
One Question for you ? Why do you want to link the security table to the Fct ? wouldn’t the SQL be better performing if it were linked to the dimensions ?
What if one doesn’t use the dimension table and you don’t want to force joins to all objects from the fact via the “Tables” button? As long as the security table is joined to the fact table, you can force the user to only get those rows s/he is entitled to get.
I was talking about performance which is of major concern (to me atleast) whenever row level security is being considered. Comparing or joining millions of record in fct tables against the security table (which may as well a million rows) is costly. We are talking about the equivalent of a many to many Fct-Fct join in this case.
It would be a lot less costly if the dimensions are involved in the Security. Think of it this way too … I want to see a list of all plants (Dimension Column) that i have access to .Fct based security will go through the fact records to get me the data (Dim-Fct-Security) . Dimension based security will need to involve only the Dimension and security tables (Huge gain).
If the security object sql is embedded in the dimensions , then only the required level of security joins will be pulled into the report.
This is just my practical understanding. May not be relevant to all data scenario’s but definitely is relevant to most.