I’ve read designer where it says that all objects used in the report must have a forced join to the security table.
Will this work the same? Add the security table forced join on just the join object between each and every table, not exactly the object in the report.
Example-
sec table had 2 columns userID and entity which is a loc.cd
sec table.entity joins to shp table.loc cd.
shp table.shp id joins to element table on shp id.
Can I add the forced security table to the object Element table.ship Id even if that is not the object in the report- perhaps -Element.Hold YN indicator was used in the report with shp table.loc cd.
This is/would be helpful if all of the reports have not been developed yet- and the Universe design team is totally separate from the report/customer team and the universe team can’t stay ahead of the report writers !
If you are going to use the forced join method, you have to put it on all objects that would require security. If a particular table will be in every query, you might be able to make this work in the join definition of the table.
Personally, I don’t like this type of security. It is very invisible and can break easily if an object is modified.
This is an area where the Business Views (used by Crystal Reports) are superior. Joins are given a property like “always use” or “only when needed” (or something like that). Hopefully this is a feature from Business Views that DOES make its way into the “combined” semantic layer. Still on track for Titan?
Until then though, as has been suggested a solution is to associate the table with every object that needs it … and as Steve points out, it is very fragile. An alternative is using a sub-query instead of a join. Something like this on the DataTbl:
DataTbl.PK IN (SELECT SecTable.FK WHERE SecTable.User = @variable('BOUSER'))
The sub-query can be done as a “self-join” on the table in Designer, or applied as an override in Supervisor. Because it is on the table, not individual objects, it will always be enforced.
Isn't it when you use @Variable('BOUSER') , User names and not groups are the ones implementing security? I just want to verify your statment on this "You can then apply this restriction to relevant BO groups and exclude other groups".
It’s been a while since I tested this, but I remember the results to be ambiguous … all ignored, or the first, or the last … problematic. TEST THOROUGHLY! Our front-end security application (home grown, NOT SUPERVISOR) ensures that a given user has access to a given universe via one and only one group.