To ensure that only correctly authorized users access data items, the data used by a report, gadget, or cross-tab must be secured. Either the data source or the Actuate product can provide the security checking. Typically, BIRT iHub uses a single set of credentials to access a data source. To provide user-based data filtering or blocking, BIRT iHub modifies a query sent to a data source for live data, filters rows retrieved from a data source, or filters cached data in a data store.
Actuate provides the following ways to secure data:
Access control lists on data set rows and columns
This technique applies to a single data set in a data store only and does not transfer to other data sets linked in the data model. This technique is not available to data sets accessing live data.
For example, a sales representative sees orders for his customers only, but a sales manager sees orders for all his sales representative’s customers. Using the same data set, the sales representative can see only products ordered by his customers. Using a data model that links customer and order data sets, the sales representative sees all order and customer information.
Access control lists on data objects and data stores in an iHub volume
This technique controls the visibility of the entire data object or data store.
For example, only managers at director-level and above have access to a data object providing employee salary information.
Data security rules on categories and columns in data models
This technique provides the most extensible and granular security for data rows.
For example, a sales representative sees sales of products for only his customers, and can use the same data model to see a full list of products. Using a data model that links customer and order data sets, the sales representative sees order and customer information for only his customers.
Using security IDs
All of these security models use the user names and user groups available to BIRT iHub. User names and user groups are known as security IDs. The developer of the data design or report design must know the naming conventions of the security IDs in the iHub environment. Typically, the developer accesses a user acceptance test (UAT) environment that mimics the setup of the live iHub and provides data sources that contain non-confidential information. The UAT environment protects sensitive data and speeds the design process by using smaller data sets. The developer uses a connection profile or connection configuration file to access the data sources. On deploying the design to the live environment, the system administrator changes the connection data in the file to access live data rather than UAT data.
Access control lists and data security rules
Data security rules are not compatible with access control lists on data sets. Using data security rules on an existing data model disables any access control lists on rows or columns in a data set in the data object. Because a data object including multiple data sets does not apply access control lists, using data security rules provides security that is not otherwise available for data provided by a data object.
If a data security rule is assigned to a category or column in a data model that was created using an earlier release of BIRT Designer Professional, the following message appears when the Data Security Rule manager is closed:
Do you want to activate this security rule by enabling data security on this Data Object? To change your choice, select the Data Object and, in Properties—Advanced, edit Enable data security.
Choosing Yes in response to this message disables all access control lists on data sets in the data object. If the data object has multiple linked data sets, access control lists are already disabled.
Access control lists on data set rows and columns