access filters behave strange

Bram Nijenhuis shared this question 1 year ago
Answered

Im trying to set up access filters in a test environment. I loaded the microsoft SQL adventureworks DWH as a datasource.


Then I created an access filter on the product category field. There are 4 categories in the dimension product category. Each of them has sales associated in the internetsalesfact.


First I created a filter where:

- account vincent had 2 categories

- account bram had 2 categories


This gave me no results for the admin. But strange results for the 2 accounts. Account vincent had access to 3 categories whereas account bram had access to 1


Also I find the documentation with regard to access filters a bit lacking. The demo where you actually set up a filter with demo data is from 7.0 and since some aspects have changed. Also, the actual view settings that need to be adjusted are not extensively explained in the wiki.

Best Answer
photo

Hi Bram,

the business rules of the Yellowfin Access Filter are that if there are no rules for a user then the user won't be able to see any rows, however if the user has a wildcard value then they can see all rows.

This methodology is so that Yellowfin is erring on the side of caution, for example, if a new user is created in the system and they are not supposed to see much, but the administrator forgets to give them an access filter rule, then they will be able to see everything (including the salary of the CEO!). For this reason it was decided that if a user is meant to see everything then the administrator must explicitly configure it this way.


To be able use wildcards in your Access Filter rules you must firstly run the following query:


INSERT INTO Configuration (IpOrg, ConfigTypeCode, ConfigCode, ConfigData) 
VALUES (1, 'SYSTEM', 'SOURCEFILTERWILDCARD', '%')

then restart Yellowfin and then you should be able to add a wildcard rule for your admin.


Please let me know how that goes.


regards,

David

Comments (5)

photo
1

Excuse me, there was a typo in my value which messed things up a bit. That is wat caused the vincent account to have 3 categories and bram 1.


What remains strange however is that when i look at the sql for the vincent account, i see that there is a NOT IN clause for the 2 values that I submitted in the acces filter of the data source. However my admin account which has no values in the access filter cannot acces any data. Also in the demo vid (version 7) the logic seems to be the other way round as well.


SELECT DISTINCT

SUM("FactInternetSales"."SalesAmount"),

"DimProductSubcategory"."EnglishProductSubcategoryName",

"DimProductCategory"."EnglishProductCategoryName"

FROM "dbo"."DimProduct"

INNER JOIN "dbo"."DimProductSubcategory"

ON (

"DimProduct"."ProductSubcategoryKey" = "DimProductSubcategory"."ProductSubcategoryKey"

)

INNER JOIN "dbo"."DimProductCategory"

ON (

"DimProductSubcategory"."ProductCategoryKey" = "DimProductCategory"."ProductCategoryKey"

)

INNER JOIN "dbo"."FactInternetSales"

ON (

"FactInternetSales"."ProductKey" = "DimProduct"."ProductKey"

)

WHERE (

"DimProductCategory"."EnglishProductCategoryName" NOT IN (N'Accessories', N'Clothing')

)

GROUP BY

"DimProductSubcategory"."EnglishProductSubcategoryName",

"DimProductCategory"."EnglishProductCategoryName"

photo
1

Also reversed the logic of the access filter. This did not change the fact that the admin had no values

photo
1

Hi Bram,

the business rules of the Yellowfin Access Filter are that if there are no rules for a user then the user won't be able to see any rows, however if the user has a wildcard value then they can see all rows.

This methodology is so that Yellowfin is erring on the side of caution, for example, if a new user is created in the system and they are not supposed to see much, but the administrator forgets to give them an access filter rule, then they will be able to see everything (including the salary of the CEO!). For this reason it was decided that if a user is meant to see everything then the administrator must explicitly configure it this way.


To be able use wildcards in your Access Filter rules you must firstly run the following query:


INSERT INTO Configuration (IpOrg, ConfigTypeCode, ConfigCode, ConfigData) 
VALUES (1, 'SYSTEM', 'SOURCEFILTERWILDCARD', '%')

then restart Yellowfin and then you should be able to add a wildcard rule for your admin.


Please let me know how that goes.


regards,

David

photo
1

Thanks David,


That did the trick. Have it working now.

photo
1

Hi Bram,

that's great to hear, thanks for letting me know.

regards,

David