10-30-2008 8:24 AM
Hi,
Consider the following Organizational hierarchy:
A
/ \
A1 A2
/ \ / \
A11 A12 A21 A22 etc..
I have a query with a fixed filter on hierarchy node A1. There is also an authorization variable present. When I run this query with only authorization A11 I get an authorization error, stating that I am not authorized for A1.
I would expect the fixed filter would only check that the data queries is within the subtree below A1, but it seems that the fixed filter requires total authorization for this node.
Could anyone explain if and how fixed filters and authorization filters can coexist together?
Thank you!
Kind regards,
Lodewijk Borsboom
10-30-2008 1:46 PM
Hi Lodewijk,
Check the authorizations your ID has from the security roles in PFCG.
Besides the Authorization variable and filter in the Query, you may also have to check if BI Analysis Authorizations are applied to your ID.
As BI Authorizations are a combination of general PFCG authorizations and Analysis Authorizations, you need to make sure that the ID has authorizations for the right node in the hierarchy.
Hope this helps.
Regards,
Kiran Kandepalli.
10-30-2008 1:46 PM
Hi Lodewijk,
Check the authorizations your ID has from the security roles in PFCG.
Besides the Authorization variable and filter in the Query, you may also have to check if BI Analysis Authorizations are applied to your ID.
As BI Authorizations are a combination of general PFCG authorizations and Analysis Authorizations, you need to make sure that the ID has authorizations for the right node in the hierarchy.
Hope this helps.
Regards,
Kiran Kandepalli.
11-05-2008 8:42 AM
All prerequisites you describe are met.
The problem is that without the fixed filter, the query picks up the value of the authorization variable, but with the fixed filter set it checks the values specified in the filter.
I would expect that the filter only would check that the values selected (in this case: the authorization variable's value) are within the filter limits.
So the problem is still not solved
11-05-2008 8:43 AM
Hallo,
if you use a fixed filter for the hierarchy node A1 and run the query with the authorization for A11, you will receive an error. During the authorization check, the authorization for A1 is necessary (because of fixed node) u2013 even if you use a variable.
You have a few possibilities:
1. Try the query with the authorization A1, it should work.
2. Delete the fixed filter node A1 and use only a hierarchy variable
Regards
SWS
11-05-2008 5:02 PM
11-06-2008 5:18 PM
Hi Lodewijk,
A
/ \
A1 A2
/ \ / \
A11 A12 A21 A22 etc..
I have a query with a fixed filter on hierarchy node A1. There is also an authorization variable present. When I run this query with only authorization A11 I get an authorization error, stating that I am not authorized for A1.
This is expected behavior. Note that you mentioned your filter is set at A1 ( higher node ) while your auth variable is at A11 ( lower node or subset of A1 ). When you are asking your query to "filter results starting at A1", the system expects that you have authorization for the complete selection (or as you say it total authorization ) -- in your case it is starting at A1. However, your authorization is restricting you to a subset of A1. In query selection you are asking for data starting at higher node but applying auth restrictions at lower node. Remember, authorizations will ALWAYS take higher priority.
If you want to use fixed filter on hierarchy it better be within or equal to the authorized node value. But of course this can't be guaranteed unless you create a unique query for each user that has different authorization needs, which leads to inefficient design. Instead, you may want to create 'filters' based on variables that derive their value from authorization values instead of fixed values.
Ashutosh
11-12-2008 1:42 PM
Our BI-guys solved this problem as follows:
All static-filters are now set in the 'Characteristic Restrictions' and the Authorization Variable is set under 'Default Values' . The query is now working as expected.
Thanks for your input!
Kind regards,
Lodewijk Borsboom