Focal Point
[resolved] Custom gadget; how do I support scorecard access security?

This topic can be found at:
http://forums.informationbuilders.com/eve/forums/a/tpc/f/1461084022/m/7427036616

February 13, 2012, 05:13 PM
Moogle
[resolved] Custom gadget; how do I support scorecard access security?
Hi Team,

I've built a custom gadget like this:


<BUNCH OF SETS>
-INCLUDE A_DEFAULTS
-INCLUDE A_SCORECARD
-INCLUDE PMF_BOOKLET_DATA
TABLE FILE PASS1
SUM
<FIELDS>
END


What seems to be missing is my scorecard security filters (I've got child scorecards that filter for specific dimension values.

If I do a ? & -EXIT I can see several variables related to my scorecard security, but the full variable name is truncated. For instance:

&ROW_SEC_WHER

I could manually add the where statment(s) to the custom gadget, but I don't know the entire variable name.

On a related note, is there a way to show the entire variable name when interrogating for active variables in FOCUS? Alternately, are they written somewhere? I've checked the developer guide; first thing.

Cheers,

Joey

This message has been edited. Last edited by: Moogle,


-WebFOCUS 8.2.01 on Windows
February 13, 2012, 05:36 PM
Bob Jude Ferrante
Whether you're using Scorecard-based or User-based Access security the parameters are the same. They are collected during initial processing of FILTERS.FEX and should be applied transparently to you, if you're using PMF_BOOKLET_DATA to extract the data.

Let me know if your mileage varies.

thanks


Bob Jude Ferrante
Director of Business and Development
WebFOCUS Performance Management
Bob_Ferrante@ibi.com
917-339-5105

I'll take any questions about PMF - business or technical - anytime!

February 14, 2012, 09:12 AM
Moogle
I'm probably doing something wrong, because I am not seeing what you describe. My scorecard security isn't kicking in, but if I use a dimension tree gadget, those filters do affect the custom gadget report.

I made sure to try it as not pmfadmin, as I've confused myself many times in the past; "why aren't my security filters working?!?! Oh wait, I'm pmfadmin."

Here's the code where I pull the data I need, do you see anything wrong / strange here?

  
-SET &PMF_IS_GADGET='Y';
-SET &TIME=0;
-SET &TRANSACTIONTYPE=0;
-*-SET &PRODUCTLINE=0;
-SET &LOSSRATIOSEGMENT=0;
-*-SET &SALESORG=0;
-*-SET &PROVINCE=0;
-SET &EXPENSETYPE=0;
-SET &CLAIMEXPENSETYPE=0;
-SET &CLAIMSORG=0;
-SET &PERSPECTIVE_ID=0;
-SET &THEME_ID=0;
-SET &OBJECTIVE_ID=0;
-SET &RPT_TITLE1='Loss Ratio Analysis and Breakdown';
-SET &RPT_TITLE2='';
-SET &MEASURE_SERIES='78 OR 232 OR 233 OR 92 OR 234 OR 11 OR 77';
-SET &INWH33=0;
-SET &RPT_FLDIN01='VAL_ACTUAL';
-SET &RPT_FLDIN02='VAL_TARGET';
-SET &RPT_FLDIN03='VAL_FORECAST';
-SET &WFFMT='HTML';
-SET &THIS_FOCEXEC='gadget_loss_ratio_analysis';
-**************************
-* START OF FIRST SECTION
-* THIS FIRST SECTION BUILDS FOUR HOLD FILES, USING FOUR DIFFERENT TIME RANGES:
-SET &RUNCOUNT=1;
-SET &TIME_RANGE='YTD';
-SET &REPORT_TITLE='Loss Ratio Gadget - 001 YTD';
-**************************************
-STARTQUERY;
-**************************************
-INCLUDE A_DEFAULTS
-INCLUDE A_SCORECARD
-INCLUDE PMF_BOOKLET_DATA
TABLE FILE PASS1
SUM
  COMPUTE SORT_ORDER/I8=IF MEASURE_SERIES_NAME EQ 'Net Loss Ratio' THEN 3 ELSE 1;
-* grab all the report fields RPT_FLD01 - 10
-INCLUDE A_GET_DATA_RPT_FLDS
-SET &LAST_RPT_STEP = 'Y' ;
-INCLUDE A_GET_DATA_FIELDS_I1
   BY MEASURE_SERIES      AS 'DATA_FIELD_ID'
   BY MEASURE_SERIES_NAME AS 'DATA_FIELD'
ON TABLE HOLD AS HOLD&TIME_RANGE.EVAL
END
-SET &RUNCOUNT=&RUNCOUNT + 1;
-SET &TIME_RANGE='YTD_PRI';
-SET &REPORT_TITLE='Loss Ratio Gadget - 002 YTD PRIOR';
-IF &RUNCOUNT EQ 2 GOTO STARTQUERY;
-SET &TIME_RANGE='QTD';
-SET &REPORT_TITLE='Loss Ratio Gadget - 003 QTD';
-IF &RUNCOUNT EQ 3 GOTO STARTQUERY;
-SET &TIME_RANGE='QTD_PRI';
-SET &REPORT_TITLE='Loss Ratio Gadget - 004 QTD PRIOR';
-IF &RUNCOUNT EQ 4 GOTO STARTQUERY;
-*

February 14, 2012, 10:22 AM
EricH
Joey,

A question and a comment here. First the question.

How are you testing this? If you are running outside of PMF, then filters.fex will not be invoked - and Scorecard Security is enforced in filters.fex. BTW - you do NOT need to include A_DEFAULTS since that is automatically included in filters.fex.

Next - regarding your question about the &var names being chopped off when you do a -? &. This is a WebFOCUS issue that is out of our control. I find it annoying as well.

Eric
February 14, 2012, 11:14 AM
Moogle
Hi Eric,

Thanks for your response.

I'm testing in PMF, as I've embedded this code into a gadget and have created a dashboard with a dimension tree. I set broadcast on, so that's how I can tell the dimension filters are kicking in when I use the tree, but not when I change to a child scorecard with a scorecard security filter.

It's a mystery.

If you can tell me the specific name of the variable that I was asking about above, I can add the where statement to my code manually. It contains something like
  
 '<DIMENSIONLEVEL> EQ <Security filter value>'


Cheers,

Joey
March 15, 2012, 10:00 AM
Moogle
Hi Team,

I've found some time to look at this again, and I've distilled it into something that you can try to replicate at your end.

I discovered that this is not just with custom gadgets, I see the same result with content pages.

Here are the repro steps:

1. Create a Scorecard linked to one or more measures
2. Create a child Scorecard, cascaded from step 1, and assign it a dimensional access security restriction (make sure it's a dimension used by the linked measure(s).
3. Create a Consumer user, and make sure they can access the Scorecards from step 1 and step 2
4. Create two pieces of Today Page content, like this:

First content (analysis designer code using a template):
-SET &TIME_RANGE='YTD';
-SET &TIME=0;
-SET &TRANSACTIONTYPE=0;
-SET &PRODUCTLINE=0;
-SET &LOSSRATIOSEGMENT=0;
-SET &SALESORG=0;
-SET &PROVINCE=0;
-SET &EXPENSETYPE=0;
-SET &CLAIMEXPENSETYPE=0;
-SET &CLAIMSORG=0;
-SET &PERSPECTIVE_ID=0;
-SET &THEME_ID=0;
-SET &OBJECTIVE_ID=0;
-SET &MEASURE_SERIES='0';
-SET &INWH33=0;
-SET &RPT_FLDIN01='INDVAL_ACTUAL_TARGET_DEFAULT';
-SET &RPT_FLDIN02='VAL_TARGET';
-SET &REPORT_TITLE='testing_child_scorecard_security_filter';
-SET &WFFMT='HTML';
-SET &THIS_FOCEXEC='PMF_RPT_TMPLT_MEAS_VERT';
-INCLUDE PMF_RPT_TMPLT_MEAS_VERT


Second content (custom code for advanced processing of the display output):
-SET &TIME=0;
-SET &TRANSACTIONTYPE=0;
-SET &PRODUCTLINE=0;
-SET &LOSSRATIOSEGMENT=0;
-SET &SALESORG=0;
-SET &PROVINCE=0;
-SET &EXPENSETYPE=0;
-SET &CLAIMEXPENSETYPE=0;
-SET &CLAIMSORG=0;
-SET &PERSPECTIVE_ID=0;
-SET &THEME_ID=0;
-SET &OBJECTIVE_ID=0;
-SET &MEASURE_SERIES='0';
-SET &INWH33=0;
-SET &RPT_FLDIN01='VAL_ACTUAL';
-SET &RPT_FLDIN02='VAL_TARGET';
-SET &REPORT_TITLE='testing child scorecard security filters';
-SET &WFFMT='HTML';
-SET &THIS_FOCEXEC='testing_child_scorecard_security_filter';
-**************************
-SET &TIME_RANGE='YTD';
-**************************************
-INCLUDE A_SCORECARD
-INCLUDE PMF_BOOKLET_DATA
TABLE FILE PASS1
PRINT
  MEASURE_SERIES
  MEASURE_SERIES_NAME
  IND_TARGET_DEFAULT_HTML
  MEASURE_FORMAT
  ACTUAL
  TARGET
ON TABLE SET HOLDLIST PRINTONLY
ON TABLE SET ASNAMES ON
END


5. log in as the Consumer user, and run both pieces of content using the parent scorecard. Measure values should be identical.
6. run both pieces of content using the child scorecard. The first content respects the child scorecard filter. The second shows the same values as the parent scorecard, which means it is not taking the child scorecard filter into account.

If you can repro this, then I wonder if there is a where statement that I can add to my TABLE FILE PASS1 that will correct this behaviour?

Cheers,

Joey


-WebFOCUS 8.2.01 on Windows
March 16, 2012, 06:01 PM
Bob Jude Ferrante
Reviewing your code, I strongly suspect that the amper vars you're setting, such as -SET amper CLAIMEXPENSETYPE=0, assuming these are Dimensions, are causing your issue. These override any Dimension filters that might get passed in to your gadget. A -SET in the FOCEXEC will override any use of that amper later on. So if CLAIMEXPENSETYPE is the name of a dimension, and you're expecting to filter on it, comment that line out.

Same for the others.

See if that will fix your issue. If not, we can take a deeper dive.

thanks


Bob Jude Ferrante
Director of Business and Development
WebFOCUS Performance Management
Bob_Ferrante@ibi.com
917-339-5105

I'll take any questions about PMF - business or technical - anytime!

March 16, 2012, 06:10 PM
Moogle
Hi Bob,

That is not the issue, unfortunately. I would like a deeper dive on this, please.

Cheers,

Joey
March 16, 2012, 07:02 PM
Bob Jude Ferrante
And when we test with Row Level Security mode set to Scorecard, and use similar code to yours, we get filtering. If you look at the template reports at the heart of every standard Gadget we ship, you'll see that including a_defaults and pmf_booklet_data are the heart of it and not that different from the code you're writing.

So we'll go deeper by asking more questions. Glub glub.

I know you're not using pmfadmin as the ID, and that matters, but there's nothing special about the ID. Lengthy description why below. When you do your test, are you logging on with an Owner ID that belongs to the Functional Group called Administrator in PMF?

I'm tempted to assume the answer is no because you mentioned trees looked as if they were filtering, but would like to know for sure and rule that out.

Comparing a report to the tree is not going to help. The tree is filtered via a different mechanism than FILTERS.FEX, it uses JavaScript, not the same physical mechanism. We need to compare to another report. Are the report/grid gadgets that shipped with PMF filtering properly when the Scorecard in question is selected? If not then we have our second aha. Perhaps something is interfering with proper operation of FILTERS.FEX, such as a customization. Let's rule that out by depathing your pmfcustom folder if there's anything in it and re-testing.

** pmfadmin is just an Owner ID, and there's nothing "administrative" about it until it belongs to the Administrator Functional Role. Any Owner ID that belongs to the Administrator Functional Role has no-filters-applied access, so they can see and shepherd the data. And the only thing that makes the Administrator Functional Role work special is the configuration. What's more, you can even create other Administrator type roles at will. I go into this whole exhausting description because other people are reading this and want to know how it works.

OK... if you're still having issues, it goes into in-person support mode, we'll do a livemeeting. Good?


Bob Jude Ferrante
Director of Business and Development
WebFOCUS Performance Management
Bob_Ferrante@ibi.com
917-339-5105

I'll take any questions about PMF - business or technical - anytime!

March 21, 2012, 09:29 AM
Moogle
The resolution to this problem was to include this piece of code in my fex:

-INCLUDE FOCEXEC_INFO

Bob says this about FOCEXEC_INFO:

 
If you have a look in FOCEXEC_INFO.FEX you’ll notice this interesting line of code:

-INCLUDE ROW_LVL_SEC

Which is the procedure that transparently gets the prequel filters so that PMF_BOOKLET_DATA can apply them to the data extraction step. We don’t embed this code into PMF_BOOKLET_DATA because we use PMF_BOOKLET_DATA in some cases where we don’t want a filter applied, or where a filter is simply not available, mostly for admin and/or system internal use.

Note that FOCEXEC_INFO.FEX is also useful for debugging PMF code. So as a rule of thumb, one should always include it.


Thanks to again to Bob and Eric.

Cheers,

Joey