Setting Up Data Filters in the Repository

Use these steps to assign data filters to enforce row-level security rules in the repository.

You should always set up data filters for a specific application roles rather than for individual users.

To create filters, you first select objects from subject areas on which you want to apply the filters. Then, you provide the filter expression information for the individual objects. For example, you might want to define a filter like "Sample Sales"."D2 Market"."M00 Mkt Key" > 5 to restrict results based on a range of values for another column in the table.

If you are in offline mode, and application roles do not appear in the Identity Manager, see About Applying Data Access Security in Offline Mode.

You can also use repository and session variables in filter definitions. Use Expression Builder to include these variables to ensure the correct syntax.

When a repository object such as a logical fact table is accessed by multiple application roles with different levels of access, create functional groups to prevent application roles from viewing data restricted from view by that specific application role. For example, you want your regional sales associates to see the revenue for a quarter in their assigned region, but you don’t want your regional sales associate to see to total segment sales for all of the regions, to avoid exposing sensitive information, you create functional groups with different levels of access as appropriate for the specific application role to the filter. See Specifying a Functional Group for an Application Role.

  1. In the Oracle BI Administration Tool, open your repository.
  2. Select Manage, then select Identity.
  3. In the Identity Manager dialog, double-click an application role.
  4. In the Application Role dialog, click Permissions.
  5. In the Application Role Permissions dialog, click the Data Filters tab.
  6. From the Subject Area list, select a repository object to use in the filter.
  7. Do one of the following:
    • Click Add button to browse to locate the object to use, and then click Select.
    • Double-click the Name field in an empty row, then browse to locate the object, and double-click to select the object.
  8. Select the data filter to define, click the Expression Builder icon.
  9. In the Expression Builder, define the condition using the repository objects and operators.
  10. (Optional) From the Status list.
  11. Click OK, then click OK again to return to the Identity Manager.