Considerations for Access Control
One important feature of the Measure Factory is the automation of the rules application, which allows the developer to concentrate on rule development and not worry about the rule processing order. It is possible for a measure and a non-dimension rule to have the same name. It is also possible for rules in two different data sets to share a name. Because of these possibilities, the processes in Measure Factory modify the names of some rules and measures. This renaming impacts how you specify access control to effectively restrict columns and measures, or set limits on dimension values.
Naming conventions for factory rules and measures
The factory produces two sets of cBases located in the following folders:
- factory-output/__internal/data-sets
- factory-output/__internal/views
The two kinds of cBases have different naming conventions for measures and non-dimension rules in order to distinguish rules and measures that have the same name. In this context, non-dimension means the rule is not defined in the factory configuration as a dimension (using the dimension tag). To accurately define access limits at the cBase level, you must be aware of these naming conventions.
Scenario
The Warehouse data set has a rule named Amount, as well as a measure named Amount, which is a sum over the rule.
In the factory-output/__internal/data-sets cBases:
- The cBase column for a non-dimension rule has the same name as the rule. In this case, the rule Amount is stored in a column named Amount.
- The cPlan calc for a measure has a modified name. In this case, the measure Amount is implemented in a calc named Measure: Amount.
In the factory-output/__internal/views cBases:
- The cBase column for a non-dimension rule has a modified name. In this case, the rule Amount from the Warehouse data set is stored in a column named Rule: Amount (Warehouse).
- The cPlan calc for a measure has the same name as the measure. In this case, the measure Amount is implemented in a calc named Amount.
Implications for detailed-level factory security
In some cases, Measure Factory renames dimensions/columns in the underlying cBases and cPlans that are used by ProDiver and DivePort. Rules that are defined as Measure Factory dimensions in the factory configuration file are not given modified names. Any renaming that does occur impacts how you specify access restrictions to columns or dimension value limits in your factory data.
- If you limit a non-dimension rule using its unmodified name only, the access limit applies to the factory-output/__internal/data-sets cBases only. The view cBases, which are what DivePort and 'All Measures' in the factory.dbk use, are not restricted.
- If you limit a measure using its unmodified name only, the access limit applies to the factory-output/__internal/views cBases only. The data-set cBases accessed from the factory DiveBook data sets area are not restricted.
Therefore, to successfully apply access control to rules and measures, you must limit both the original and the modified names.
Example 1
Suppose that you want to restrict measures so that some users cannot see them. For example, you want to limit who can see the source-rule column named Total Dollars as well as any measures that used this column. To start, you create a property can-see-dollars. For each user or group, assign a yes or no value to this property. Then you set the following access controls on the cBases in the factory-output folder:
access { file-access { allow-read } cbase-access { restrict-columns "Total Dollars" allow-columns "Total Dollars" { if-property "can-see-dollars" "Yes" } } }
However, when run, the Measure Factory build creates a new column named Rule: Total Dollars (Payroll) using the values from the Total Dollars source rule from the Payroll data-set. To restrict access to measures that use the Total Dollars source rule in their definition, you must also restrict the column Rule: Total Dollars (Payroll). Therefore, the complete access rule is:
access { file-access { allow-read } cbase-access { restrict-columns "Total Dollars" "Rule: Total Dollars (Payroll)" allow-columns "Total Dollars" "Rule: Total Dollars (Payroll)" { if-property "can-see-dollars" "Yes" } } }
Example 2
Suppose you need to configure the access for a factory to allow only specific values to display for a group. You could define access by limiting dimension values. For example, you want users in the East district to only see receivable data for branches 1 and 2 in the AR data set. Your access configuration might resemble the following:
access { file-access { allow-read } cbase-access { limit-rows-by-values { column "Receivable-code" "Rule: Receivable-code (AR)" values "BR1" "BR2" if-group "East" } } }
Note that in this case, the source rule column Receivable-code has the potential to be renamed by the factory to Rule: Receivable-code (AR), so you need to include both names in the limit.
See also: