Skip to Content
0
Mar 12, 2010 at 01:31 AM

Authorization Relevant Attribute, not being protected as a display attr.

27 Views

I have a requirement to protect sensitive attributes in InfoObject 0EMPLOYEE and related cubes using 0EMPLOYEE.

Scenario 1:

I turned on the u201CAuth. Relevantu201D flag on each of the 14 attributes in 0EMPLOYEE (RSD1-Attribute-Detail/Navigational Attribute-AuthorizRelevent Flag).

Now hear is what I was expecting for a non authorized user;

1. Not be able to run a query which has a protected attribute (Navigational).

+True+

2. Able to run a query which does not have a protected attribute.

True

3. Once query was executed, not be able to select and display any of the 14 protected attributes.

False, I was able to see, select and display any of the 14 protected attributes.

Scenario 2:

I turned on the u201CAuth. Relevantu201D flag on each of the 14 attributes in 0EMPLOYEE and I also made each of the 14 InfoObjects u201CAuth. Relevantu201D. (i.e. 0EMPLOYEE_0ISDISABLED and 0ISDISABLED)

Now hear is what I was expecting for a non authorized user;

1. Not be able to run a query which has a protected attribute (Navigational).

True

2. Able to run a query which does not have a protected attribute and the cube has none of the protected attributes as Navigational.

True

3. Once query was executed, not be able to select and display any of the 14 protected attributes.

True

4. Able to run a query which does not have a protected attribute however the cube has protected attributes as Navigational.

False, if the cube has one of the attributes defined as navigational, the query will not run.

Conclusion:

Neither of the 2 scenarios is perfect, though I think the 2nd is a better solution. But I was hopping that I can get the 1st scenario to work.

Is there missing an authorization check in the 1st scenario to prevent the user to see and select the protected attributes, sounds like a bug?

As for the 2nd scenario, am I missing something at the security level to allow the user to execute the query which doesnu2019t have any of the protected attributes but where the cube has?

Has anyone experience this situation, Iu2019m sure, I canu2019t be the firstu2026..

Perhaps thereu2019s a third scenario?

Your help would be greatly appreciated.

Thanks,

Phil