With Row-Level-Security (RLS) you can restrict the access of your collector users to specific elements / nodes in your dimension tree. Define, which user should have access to which element(s) in which attribute of the dimension tree.
The most important
Since the creation of the RLS definitions can be very demanding we strongly recommend to automatize the generation of your RLS definition list e.g. with Excel and Power Query and use the Upload from Excel function:
- The Upload file must fulfil the technical requirements for XLSX upload files.
- Please be aware that you should NOT DELETE all records when you upload a new RLS definition table since this would lead to "every user can see all the data". Leave at least one record (maybe a dummy record) so that RLS stays active also during the update process of the table.
- Changes in the element / node names of the dimension tree will cause the need to update also the RLS table (this is not done automatically).
- Be aware of the three major principles that RLS is explicit, additive and (only) inclusive.
How to do
As said before we recommend to upload your RLS definitions from an Excel file. In this section you learn how to derive those RLS definitions.
Start with the Add new button to create the first RLS record:
Remember the structure of the dimension tree in this application:
You can grant these rights:
- Read = read-only access to the defined node
- Read / Write = read and write access to the defined node
- Read / Write / Create = additonally create new and edit existing elements (in the web client) below the defined node. Please note that addtionally the setting "Allow Tree Editing" on the workbook must be activated to put this setting into action.
Please be aware of the following three major principles:
- RLS is explicit
The first record in the RLS table activates RLS in your application which means that EVERY user needs at least one RLS record to get access.
That means that users with no explicit RLS definition see an empty tree and no data.
That also means that you have to add for yourself and all user who are allowed to see all data an RLS entry with permisssion on the top level element(s): - RLS is additive
The same user can have several RLS entries, all defined rights will be added. - RLS is (only) inclusive
At this stage you cannot exclude a node ("negative list") from access but only include nodes ("positive list").
Since the creation of the RLS definitions can be very demanding we strongly recommend to automatize the generation of your RLS definition list e.g. with Excel and Power Query and use the Upload from Excel function to bring the information into your application.