Restrict access to reports containing specific properties
Use the property security record to require a user to have a privilege to view or create reports that contain restricted data. After assigning a privilege to the property, the Report Browser enforces the security property restriction. If a report run from the Report Browser contains any reference to a property requiring a privilege the operator does not have, it displays an error message and does not run the report.
When a user is creating reports, the Report Editor displays secured properties, but does not allow them to be added to a report.
This article describes securing an existing property pyHomePhone, which contains personally-identifiable information, with a new property security record called HomePhone. The property security record takes its name from the property it secures.
Restricting access to reports
The steps for this process are as follows:
1. Create a privilege
In the Records Explorer, expand Security. Right-click Privilege and click New.
On the Create Privilege Record form, enter a short description and specify the Applies To class, RuleSet and ruleset Version.
Click Create.
On the Edit Privilege form, click Save.
2. Create the property security record
In the Records Explorer, expand Security. Right-click Property Security and click New.
Enter a description, the name of the property, and the Record context.
- Click Create.
On the Edit Property Security form, on the Security tab, click the + symbol and select the privilege you created for the property.
Click Save.
3. Associate the privilege
You can edit existing records to implement the privilege, or create new ones as described in the following example.
- Add the privilege to a new role
- Create an Access of Role to Object record
- Add the role to an access group
- Assign the access group to the operator
Add the privilege to a new role
In this example, create a role that can be associated with an Access of Role to Object record that "carries" the privilege.
In the Records explorer, right-click Access Role Name and click New.
Enter a short description – this will become the identifier – and verify record context information. Example:
Click Create.
On the Edit Access Role Name Record form, click Save.
Create an Access of Role to Object record
In the Records explorer, click Access of Role to Object and select an instance.
Select Save > Save As.
On the Save as Access of Role to Object form, enter a short description and select the role name you created in the previous step.
Select the Access Class and Record Context.
Click Save. The system associates this Access of Role to Object rule with the PurchaseFW:CanSeePII role.
On the Edit Access of Role to Object form, modify the field values on the Security tab if applicable.
Select the Privileges tab. Click + and select the privilege CanViewPII, then enter 5 in the Level column.
Click Save.
Add the role to an access group
In this example, add the new role PurchaseFW:CanSeePII to the existing access group PurchaseFW:Administrators.
Search for PurchaseFW:Administrators, or in the Records explorer, click Access Groups and select it from the list.
On the Definition tab, in the Roles section, click + and select PurchaseFW:CanSeePII.
Save the PurchaseFW:Administrators access group.
Assign the access group to the operator
Click the menu and select Operator.
On the Edit Operator ID form, in the Application Access section, click + and select the PurchaseFW:Administrators access group.
Save the Operator record.
When running a report in the Report Browser, or when creating a new report in the Report Editor, the user must be logged in with an Operator ID associated with the access group containing the role granted the privilege specified by the property security record. If a property is secured by a property security rule, the system checks what privileges are required for the property and checks the operator's privileges before proceeding.