User security level enables creating advanced data level access definition. The definition is based on the specified filter which is applied to the selected data sets. User security levels are great way to reduce vulnerability risk, as it allows you to access data belonging only to specific user.
Only users with Domain administrator roles assigned are allowed to create and manage user security levels.
User security can be created also outside of domain
Creating user security levels
Open the Data sets page from main menu on the top of the screen.
- Click "User Security Levels" in the left submenu
- Select the option Add new level
The dialogue window Add user security level allow users define a security level that can be assigned to selected data sets. The following parameters are available:
- Name of the security level
- Delimiter that will be used in the query
- Query code for the data filtering
- Applied columns to which the security levels will be applied to (multiple columns can be added)
defining query code
The query is using SQL-like format that will be applied to the selected columns as a filter. The query must apply the following steps:
- Start with SELECT
- Main data set is referenced via variable $mainDataset(ID) where ID is the data set ID
- Main data set alias is PT
- Main data set needs to be defined in the first part of join
- Other data sets are referenced via variable $dataset(ID) where ID is the data set ID
- Only data set attributes are allowed for the definition
- Variables can be applied
Query code example
SELECT PT.L_COMPANY, PT.L_LEDGER, PT.L_FIELD from $mainDataset(210) PT JOIN $dataset(208) JD1 ON (PT.L_COMPANY= JD1.L_COMPANY AND PT.L_LEDGER=JD1.L_LEDGER AND PT.L_FIELD=JD1.L_FIELD) JOIN $dataset(209) JD2 ON (PT.L_CODE = JD2.L_CODE AND JD1.L_SHARED_CD = JD2.L_SHARED_CD) where ((JD1.L_USER = '$user(username)') AND (PT.L_COMPANY like '$@reportVariable1'))
Variables
The following variables are available:
- $user(XXX) - will return user profile information
- XXX = username, name, surname, roles, phone, phone2. email, address, office, position, active, locale, timeZone, chartType
- $user.parameters - will check whether user parameters contain specified value, example:
WHERE '${user.parameters}' LIKE '%department=ACCOUNTING;%'
- $date(now) - will return the current date
- ${@reportVariable} - will apply value of the report variable
user variables | report variables |
---|---|
Wildcard
You can use wildcards in BellaDati which allows you to substitute any number of characters
Name | Description |
---|---|
% | Replace zero or any number of characters. |
_ | Replace one single character |
Union
In case multiple selects are required, use key UNION to join them.
JOIN
If JOIN is needed, it can be also used in query. JOIN represents LEFT JOIN
Applying security levels
Once a user security level is specified, it can be assigned to a data set. In order to do that, open data set detail and follow the below steps:
- Select the sub-menu option User security levels
- Select the option Enable user security level to enable data set filtering based on the user security level
- Select option Add existing level to apply an existing user security level to the data set
- Select the required security level and click add
Applied user security levels are displayed on the user security level screen:
New levels can be added by using the option Add existing level. Selected user security levels can be unassigned by using X button.
Vulnerability risk reduce
Here you can see simple example of limiting data only to specific userId. DataSet 26 must contain L_CONN_COL this column will be key for both tables and L_USER_ID. This security can be applied to any other DataSet that has L_CONN_COL which will grant access to specific row.