Академический Документы
Профессиональный Документы
Культура Документы
In This Section:
Introduction
Understanding How Filters Define Permissions
Creating Filters
Managing Filters
Assigning Filters
Introduction
When security levels defined for applications, databases, users, and groups are insufficient,
Essbase security filters give you more specific control. Filters enable you to control access to
individual data within a database by defining what kind of access is allowed to which parts of the
database, and to whom these settings apply.
If you have Administrator permissions, you can define and assign any filters to any users or
groups. Filters do not affect you.
If you have Create/Delete Applications permissions, you can assign and define filters for
applications that you created.
If you have Application Manager or Database Manager permissions, you can define and assign
filters within your applications or databases.
Filters comprise one or more access settings for database members. You can specify the
following access levels and apply them to data ranging from a list of members to one cell.
Access
Level
Description
None
Read
Data can be retrieved but not updated for the specified member list.
Write
Data can be retrieved and updated for the specified member list.
Metaread
Metadata (dimension and member names) can be retrieved and updated for the
corresponding member specification.
Note:
The metaread access level overrides all other access levels. If additional filters for data are
defined, they are enforced within any defined metaread filters.If you have assigned a metaread
filter on a substitution variable and then try to retrieve the substitution variable, an unknown
member error occurs, but the value of the substitution variable gets displayed. This is expected
behavior.Metadata security cannot be completely turned off in partitions. Therefore, do not set
metadata security at the source database; otherwise, incorrect data may result at the target
partition.When drilling up or retrieving on a member that has metadata security turned on and
has shared members in the children, an unknown member error occurs because the original
members of the shared members have been filtered. To avoid this error, give the original
members of the shared members metadata security access.
Any cells that are not specified in the filter definition inherit the database access level. Filters
can, however, add or remove access assigned at the database level, because the filter definition,
being more data-specific, indicates a greater level of detail than the more general database access
level.
Data values not covered by filter definitions default first to the access levels defined for users
and, when Essbase is in native security mode, second to the global database access levels.
Calculation access is controlled by permissions granted to users and groups. Users who have
calculate access to the database are not blocked by filtersthey can affect all data elements that
the execution of their calculations would update. When Essbase is in native security mode,
calculation access is also controlled by minimum global permissions for the application or
database.
Creating Filters
You can create a filter for each set of access restrictions you need to place on database values.
You need not create separate filters for users with the same access needs. After you have created
a filter, you can assign it to multiple users or groups of users. However, only one filter per
database can be assigned to a user or group.
Note:
If you use a calculation function that returns a set of members, such as children or descendants,
and it evaluates to an empty set, the security filter is not created. An error is written to the
application log stating that the region definition evaluated to an empty set.
Before creating a filter, perform the following actions:
Connect to the server and select the database associated with the filter.
Tool
Topic
Location
Administration
Services
Creating or Editing
Filters
MaxL
create filter
Filtering members separately affects whole regions of data for those members.
Note:
Filtering on member combinations (AND relationship) does not apply to metaread. Metaread
filters each member separately (OR relationship).
Access
Member Specification
None
Sales
None
Jan
The next time user KSmith connects to Sample.Basic, she has no access to data values for the
member Sales or for the member Jan. Her spreadsheet view of the profit margin for Qtr1:
Figure 148. Results of Filter Blocking Access to Sales or Jan
All data for Sales is blocked from view, as well as all data for January, inside and outside of the
Sales member. Data for COGS (Cost of Goods Sold), a sibling of Sales and a child of Margin, is
available, with the exception of COGS for January.
Access
None
Member Specification
Sales, Jan
The next time user RChinn connects to Sample.Basic, she has no access to the data value at the
intersection of members Sales and Jan. Her spreadsheet view of the profit margin for Qtr1:
Figure 149. Results of Filter Blocking Access to Sales, Jan
Sales data for January is blocked from view. However, Sales data for other months is available,
and non-Sales data for January is available.
@ATTRIBUTE and @WITHATTR are member set functions. Most member set functions can be
used in filter definitions.
For example, assume that user PJones is assigned this filter:
Access
None
Member Specification
@ATTRIBUTE(Caffeinated_False)
The next time user PJones connects to Sample.Basic, he has no access to the data values for any
base dimension members associated with Caffeinated_False. His spreadsheet view of firstquarter cola sales in California:
Figure 150. Results of Filter Blocking Access to Caffeine-free Products
Sales data for Caffeine Free Cola is blocked from view. Note that Caffeine Free Cola is a base
member, and Caffeinated_False is an associated member of the attribute dimension Caffeinated
(not shown in the above spreadsheet view).
Metadata Filtering
Metadata filtering provides an additional layer of security in addition to data filtering. With
metadata filtering, an administrator can remove outline members from a user's view, providing
access only to those members that are of interest to the user.
When a filter is used to apply MetaRead permission on a member,
1. Data for all ancestors of that member are hidden from the filter users view.
2. Data and metadata (member names) for all siblings of that member are hidden from the
filter users view.
Managing Filters
You can perform the following actions on filters: viewing, editing, copying, renaming, and
deleting.
Viewing Filters
To view a list of filters, use a tool:
Tool
Topic
Location
Administration
Services
Creating or Editing
Filters
MaxL
display filter
ESSCMD
LISTFILTERS
Editing Filters
To edit a filter, use a tool:
Tool
Topic
Location
Administration
Services
Creating or Editing
Filters
MaxL
create filter
Copying Filters
You can copy filters to applications and databases on any Essbase Server, according to your
permissions. You can also copy filters across servers as part of application migration.
To copy a filter, use a tool:
Tool
Topic
Location
Administration Services Copying Filters Oracle Essbase Administration Services Online Help
MaxL
create filter
ESSCMD
Renaming Filters
To rename a filter, use a tool:
Tool
Topic
Location
MaxL
create filter
ESSCMD
Deleting Filters
To delete a filter, use a tool:
Tool
Topic
Location
Administration Services Deleting Filters Oracle Essbase Administration Services Online Help
Tool
MaxL
Topic
drop filter
Location
Assigning Filters
After you define filters, you can assign them to users or groups, which lets you manage multiple
users who require the same filter settings. Modifications to the definition of a filter are
automatically inherited by users of that filter.
Filters do not affect users who have the Administrator role. Only one filter per database can be
assigned to a user or group.
Access
Member Specification
Write
Actual
None
Actual
Read
The third specification defines security at a greater level of detail than the other two. Therefore,
read access is granted to all Actual data for members in the New York branch.
Because write access is a higher access level than none, the remaining data values in Actual are
granted write access.
All other cells, such as Budget, are accessible according to the minimum database permissions.
If you have write access, you also have read access.
Note:
Changes to members in the database outline are not reflected automatically in filters. You must
manually update member references that change.
Member Specification
MetaRead
California
MetaRead
West
In the first row, applying MetaRead to California has the effect of allowing access to California
but blocking access to its ancestors. Therefore, the MetaRead access to West is ignored; users
who are assigned this filter will have no access to West.
If you wish to assign MetaRead access to West as well as California, then the appropriate method
is to combine them into one row:
Access
MetaRead
Member Specification
California,West
R
W
N
N
N
W
R
W
W
Example 2:
User Mary is defined with the following database access:
FINPLAN
PRODPLAN
R
N
She is assigned to Group Marketing, which has the following database access:
FINPLAN
PRODPLAN
N
W
R
W
In addition, Mary uses the filter artifact RED (for the database FINPLAN). The filter has two
filter rows:
Access
Member Specification
Read
Actual
Write
The Group Marketing also uses a filter artifact BLUE (for the database FINPLAN). The filter has
two filter rows:
Access
Member Specification
Read
Actual, Sales
Write
Budget, Sales
Marys effective rights from the overlapping filters, and the permissions assigned to her and her
group: