More than one Data Security Profile or Business Security Profile defined for a universe may be assigned to the same user. Multiple profiles can be directly assigned to a user or group and inherited from parent groups. When this happens, the security settings in the different profiles are aggregated to result in one effective Data Security Profile, and one effective Business Security Profile. These profiles are called net profiles.
Methods for Aggregating Security Settings
- Priority
Used to aggregate Data Security Profile settings. You can prioritize the Data Security Profiles in the Security Editor.
- Restriction
Some Data Security Profile settings and all Business Security Profile settings are aggregated based on restriction level: very restrictive, moderately restrictive, or less restrictive. The restriction level defines which operators to use to aggregate profiles. Different aggregation operators are used depending on whether the profile is inherited or merged.
Inherited and Merged Profiles
If the user or group is assigned Profile A and belongs to a group that is assigned Profile B, Profile A and Profile B are inherited.
If the user or group belongs to a group assigned Profile A and another group assigned Profile B, Profile A and Profile B are merged.
If the user or group is assigned both Profile A and Profile B, Profile A and Profile B are merged.
Restriction Levels and Profile Aggregation
You can change these restriction levels in the Security Editor to affect how the profiles are aggregated.
The less restrictive level is appropriate when security is designed with roles, each role granting new rights to the user.
The most restrictive level is appropriate when each profile is used to restrict what the user can see.
The moderately restrictive level uses the most restrictive level for inherited profiles and the less restrictive level for merged profiles.
Note
The Data Security Profile Rows setting and Business Security Profile Filters setting both generate a WHERE clause to filter the query. The Rows setting is the first to be applied. The WHERE clause in the Filters setting is then applied to the results of the first query. In effect, the two WHERE clauses are aggregated with the AND operator.
The operations used to aggregate profile settings (for example AND, OR) vary for the different settings. For more information about aggregation for each type of setting, see the Information Design Tool Users Guide.