Setting the Scope
The scope configuration controls when AtScale applies row security object constraints.
Scope property
When creating a row security object, you set the scope to one of the following values:
- Related: Applies the security constraint when the query selects any dimension or secondary attributes that have a path to the row security object as long as no fact table is used. The security constraint is not applied to dimension-only queries that select multiple dimensions related through a fact table. See the red box in Figure 1 below.
- Fact: Applies to the same queries as Related, as well as queries that include a metric from a fact table connected to the secure dimension (see the yellow box on the figure below). The security constraint is not applied to single-dimension-only queries that are related to the secured dimension via the fact table (Date and Store Location in the figure below). However, security is applied to multi-dimension-only queries because they are joined using a synthetic metric from the fact table that relates them (dashed yellow box in Figure 1 below).
- Fact Only: Applies the security constraint when a query selects a metric or calculation derived from the connected fact dataset. The security constraint is not applied when a dimension-only query uses the secured fact dataset, or when a dimension-only query selects a degenerate dimension derived from the secured fact dataset. See Figure 2 below.
- All: The security constraint applies to every query unless there is no path to the row security object. This is the case with two separate fact tables, each with their own unrelated dimensions. See the green box in Figure 1 below.
When defining user-defined aggregates (UDAs) to accelerate queries against fact tables that are connected to Fact Only row security objects, the UDA must include the row security object's filter key attribute. For reference, the value that will need to be in the fact table should be equivalent to data stored in the column mapped to the row security object's Attribute Filter Keys value. Failure to do this will result in UDAs that cannot be used by non-admin users.
Examples
Dimensions with nested row security objects
The figure below illustrates a model consisting of factinternetsales (a fact table), Product SKU (dimension secured by a nested Product Security Dimension), Date (unsecured dimension), and Store Location (unsecured dimension).
Figure 1: Graphic representation of row security query scopes
Given the model in this figure, the table below describes the application of the row security object for each example query and scope setting.
Table 1: How the scope settings affect queries
| Query selected attributes | Product Security Dim Scope = All | Product Security Dim Scope = Fact | Product Security Dim Scope = Related |
|---|---|---|---|
| Product SKU | Yes | Yes | Yes |
| Product SKU secondary attributes | Yes | Yes | Yes |
| Date | Yes | No | No |
| Store Location | Yes | No | No |
| Date, Store Location | Yes | Yes | No |
| Sum(SalesAmount) | Yes | Yes | No |
| Sum(SalesAmount), Date, Store Location | Yes | Yes | No |
| Sum(SalesAmount), Date, Product SKU | Yes | Yes | Yes |
Fact datasets with row security objects
The figure below illustrates a model with factinternetsales (a fact table secured by a factinternetsales row security object), and two unsecured dimensions (Order and Product).
Figure 2: Graphic representation of row security object query scopes
Given the model in this figure, the table below describes the application of the row security object for each example query, given the row security object's scope of Fact Only.
Table 2: How the scope setting affects queries
| Query Selected Attributes | Row Security Object Scope = Fact Only |
|---|---|
| Order | No |
| Order secondary attributes | No |
| Order, Product | No |
| Sum(SalesAmount) | Yes |
| Sum(SalesAmount), Order, Product | Yes |
Notes on row security object scopes
- Degenerate dimensions (dimensions derived from a fact table) behave the same way as standard dimensions with respect to the scope setting of Fact. Therefore, a dimension-only query on a degenerate dimension will not have its contents filtered by a secured dimension connected to the fact table (for example, Product SKU on the figure above).
- Security constraints for all scopes do not apply to queries run against unconnected fact datasets or their dimensions.