Setting the scope
The scope configuration provides a way to control when AtScale applies security dimension constraints.
Scope property
When creating a row security object, you set the scope to one of the following values:
-
Related
Applies the security constraint when the query selects any dimension or secondary attributes that have a path to the security dimension as long as no fact table is used. The security constraint is not applied to dimension-only queries that select multiple dimensions related through a fact table. See the red box on the figure below.
-
Fact
Applies to the same queries as Related, as well as queries that include a measure from a fact table connected to the secure dimension (see the yellow box on the figure below). The security constraint is not applied to single-dimension-only queries that are related to the secured dimension via the fact table (Date and Store Location in the figure below). However, security is applied to multi-dimension-only queries because they are joined using a synthetic measure from the fact table that relates them (dashed yellow box in the figure below).
-
All
The security constraint applies to every query unless there is no path to the security dimension. This is the case with two separate fact tables, each with their own unrelated dimensions. See the green box in the figure below.
Example
The figure below illustrates a model consisting of factinternetsales
(a fact table), Product SKU
(dimension secured by a nested Product
Security Dimension), Date (unsecured dimension), and Store Location
(unsecured dimension).
Figure: Graphic Representation of Row Security Query Scopes
Given the model in this figure, the table below illustrates the application of the Product Security Dimension as either a "Yes" or "No" value for each example query and scope setting on the Product Security Dimension.
Table: How the Scope Settings Affect Queries
Query selected attributes | Product Security Dim Scope = All | Product Security Dim Scope = Fact | Product Security Dim Scope = Related |
---|---|---|---|
Product SKU | Yes | Yes | Yes |
Product SKU secondary attributes | Yes | Yes | Yes |
Date | Yes | No | No |
Store Location | Yes | No | No |
Date, Store Location | Yes | Yes | No |
Sum(SalesAmount) | Yes | Yes | No |
Sum(SalesAmount), Date, Store Location | Yes | Yes | No |
Sum(SalesAmount), Date, Product SKU | Yes | Yes | Yes |
Notes on Row Security Scope
- Degenerate dimensions (dimensions derived from a fact table) behave the same way as standard dimensions with respect to the scope setting of Fact. Therefore, a dimension-only query on a degenerate dimension will not have its contents filtered by a secured dimension connected to the fact table (for example, Product SKU on the figure above).
- Security constraints for all scopes do not apply to queries run against unconnected fact datasets or their dimensions.