The security file defines permissions to control access to Domain data on the basis of user names and roles existing in the server. When creating or running a report based on a Domain, the user name and roles are checked against the permissions in the security file. Permissions can be set separately on the data's columns and rows:
| • | Security on columns is defined by permissions on the sets and items of the Domain, corresponding to columns in the data source. For example, only certain users might be able to see sensitive employee information such as a Social Security Number. |
| • | Security on rows is defined by permissions on the data values. For example a manager might be allowed to see the salary column of only employees whose manager field equals that manager’s employee number. |
The IDs of tables, columns, sets and items that appear in the design are referenced by the security file. In Domains, columns display the items in the Domain; rows display the values of each item.
A user can see results only where he has both column- and row-level access.
For a given query on the data source, the security definition finds the access grants and determines access rights, determined first for item groups and items, then for resources. When the query is passed to the data source and the report is run, the grants are applied as filters on the report’s columns and rows. Security defined on the physical layer applies to all content in the presentation layer. Security defined on a join applies only to the presentation layer content specific to the join.
When a user is designing a report in the Ad Hoc Editor, he sees only the columns to which he has access. When the report runs, portions to which the user has no access are blank.
All access grants for a Domain are defined in a single security file attached to the Domain as a resource, as described in Security and Locale Information for a Domain. The default access is granted.
When creating a security file, be sure to use the IDs of items and groups as they are defined in the Domain design file exported from the Domain Designer. For more information, see The Domain Design File.
If you modify the Domain, you should also export the design file and update the security file with any IDs that have changed. Update the security file using the Change function on the Edit Domain page of the Domain Designer.
For the structure and syntax of the security file, see "Domain and Security Recommendations" in the Server Security Guide.