Setting the Scope
The scope configuration provides a way to control when AtScale applies security dimension constraints.
Scope property
When creating a security dimension you should set the scope to one of the following values:
- Related: Applies security constraint when the query selects any dimension or secondary attributes that have a path to the security dimension as long as no fact table is used. The security constraint is not applied to dimension-only queries that select multiple dimensions related through a fact table. See the red box on the figure below.
- Fact: Applies to the same queries as Related but also applies to queries that include a measure from a fact table connected to the secure dimension (see the yellow box on the figure below). The security constraint is not applied to single-dimension-only queries that are related to the secured dimension via the fact table (Date and Store Location on the figure below). However, multi-dimension-only queries will have security applied because they are joined using a synthetic measure from the fact table that relates them (dashed yellow box on the figure below).
- Fact-Only: Applies the security constraint when a query selects a measure or a calculated measure derived from the connected fact dataset. The security constraint is not applied when a dimension-only query uses the secured fact dataset, or when a dimension-only query selects a degenerate dimension derived from the secured fact dataset.
- All: Every query will have the security dimension applied unless there is no path to the security dimension. This is the case with two separate fact tables, each with their own unrelated dimensions. See the green box on the figure below.
When defining user-defined aggregates (UDAs) to accelerate queries against fact tables that are connected to Fact-Only security dimensions, the UDA must include the security dimension's Filter Key attribute. For reference, the value that will need to be in the fact table should be equivalent to data stored in the column mapped to the security dimension's Filter table column (in the Security Dimension dialog, this is the column selected in the Column Containing Attribute Filter Keys field). Failure to do this will result in the building of UDAs that cannot be used by non-admin users.
Examples
Dimensions with nested security dimensions
The figure below illustrates a model consisting of factinternetsales
(a fact table), Product SKU (dimension secured by a nested Product
Security Dimension), Date (unsecured dimension), and Store Location
(unsecured dimension).
Figure: Graphic Representation of Security Dimension Query Scopes
Given the model in this figure, the table below illustrates the application of the Product Security Dimension as either a "Yes" or "No" value for each example query and scope setting on the Product Security Dimension.
Table: How Security Dimension Scope Settings Affect Queries
| Query selected attributes | Product Security Dim Scope = All | Product Security Dim Scope = Fact | Product Security Dim Scope = Related |
|---|---|---|---|
| Product SKU | Yes | Yes | Yes |
| Product SKU secondary attributes | Yes | Yes | Yes |
| Date | Yes | No | No |
| Store Location | Yes | No | No |
| Date, Store Location | Yes | Yes | No |
| Sum(SalesAmount) | Yes | Yes | No |
| Sum(SalesAmount), Date, Store Location | Yes | Yes | No |
| Sum(SalesAmount), Date, Product SKU | Yes | Yes | Yes |
Fact datasets with security dimensions
The figure below illustrates a model with factinternetsales (a fact table secured by a factinternetsales Security Dimension), and two unsecured dimensions (Order and Product).
Figure 2: Graphic representation of security dimension query scopes
Given the model in this figure, the table below illustrates the application of the security dimension for each example query, given the security dimension's scope of Fact-Only.
| Query Selected Attributes | Security Dim Scope = Fact-Only |
|---|---|
| Order | No |
| Order secondary attributes | No |
| Order, Product | No |
| Sum(SalesAmount) | Yes |
| Sum(SalesAmount), Order, Product | Yes |
Notes on Security Dimension Scope
- Degenerate dimensions (dimensions derived from a fact table) behave the same way as standard dimensions with respect to the scope setting of "Fact". Therefore a dimension-only query to a degenerate dimension will not have its contents filtered by a secured dimension connected to the fact table (for example, Product SKU on the figure above).
- Security constraints for all scopes do not apply to queries run against unconnected fact datasets, or their dimensions.