January 02, 2007, 03:45 PM
Jim BrewerRestricting FIELD access conditionally
I would like to conditionally restrict access to some data fields across many different reporting programs. Preferably, I would be able to accomplish this without changing the FEXs.
Example:
Portfolio managers need access to our overall investment balance sheet. The detailed data is available in our FOCUS data marts and aggregated with Table requests. Further, they may only see detailed information for their own investment portfolios.
Insufficient option #1 -- Restrict record access with DBA rules, using RESTRICT=VALUE, NAME=SEG01, VALUE=MANAGER_CDE EQ ..., $
-- this filters out all records not meeting the criteria, impairing my ability to generate a complete balance sheet.
Insufficient option #2 -- Restrict field access with DBA rules, using RESTRICT=NOPRINT, NAME=ISSUE_NAM, $
-- this prevents the display of the issue name for all investments including in the managers' own portfolios.
Insufficient option #3 -- Restrict field access with a uniquely defined virtual field in multiple MFDs for each portfolio manager.
-- In the managers' profiles, I would control which master file is available for each manager. However, maintaining separate directories for each portfolio managers' MFDs is impractical.
I would like a conditional RESTRICT=NOPRINT feature here. Any ideas?
Thanks.
January 03, 2007, 08:22 AM
hammo1jOnly thing I can think of is to have the portion of the report that needs full access to be done under a different SET USER= with full access but then to encrypt this fex and the master so that other users can't see what's going on.
January 03, 2007, 10:23 AM
mgrackinJim,
You can put the DBA rules in a separate file and then reference it with a statement in the MFD.
Create a set of DBA rules files with different names and then at the beginning of a FEX copy the appropriate DBA rules file to a file that has the name referenced in the MFD. This might work.
January 03, 2007, 10:42 AM
jgelonaOur application is Child Welfare. We have 3 basic groups, guests (no access to detail), regular child welfare workers (access to all detail except adoption data) and adoption workers and upper management (access to all detail).
What I do is run a fex every 12 hours to get updated staff data. If the user is not in the table, they are a guest. If the user is in the table but no longer Child Welfare, they are a guest. If the user is in the table and meets specific criteria (division, posistion type, etc.) they are in the adoption group. Everyone else is in the regular child welfare group.
When a report is run, I examine the user id passed from the Web Server. The userid is assigned a GroupId. Then I use a WHEN clause in the drill down that either enables or disables drill down to specific detail.
January 03, 2007, 10:57 AM
cburttJim,
Check out IBI Technical Memo 4550 which tells how to suppress Applications, Files, and Fields from the various lists of same that are displayed in MRE and DevStudio tools.
While the intent is different, Technical Memo 4613 explains how to lock specific developers from specified Applications.
Both may help you do what you want.
Chris Burtt
January 09, 2007, 11:00 AM
KerryHi Jim,
Has this issue been resolved? Many thanks to everyone's input on this topic.
Here are the Technical Memos that Chris suggested:
Technical Memo 4550: Customizing the Display of Applications, Files, Fields, & Field Descriptions in WebFOCUS Development Tools 5.2.6 or Higher Technical Memo 4613: Creating Private Application Views With APPLOCK 7.1 You will need to have an InfoResponse userid/password to access the documents.
Hope this helps.
Cheers,
Kerry