A data security rule can use columns from any category or data set in the model and be assigned to any category in the model. If the rule assigned to a category uses columns from a different category or data set, the data model uses the joins defined between the linked data sets to enforce the security rule. For example, the following rule in a data model based on the Classic Models Inc. Sample Database uses the Country field in the Customers category:
hasUserACL( dataSetRow["Country"] )
Assigning this rule to the Orders category requires a join between the data sets for Customers and Orders. A report that uses only the Orders category does not need to include the Customers category. The data security is enforced whether or not the report uses the Customers category.
Assigning this rule to the Order Details category requires an additional join between the data sets for Orders and Order Details. A report that uses only the Order Details category does not need to include either of the Customers or Orders categories. The data security is enforced whether or not the report uses the Customers or Orders categories.
How to test implicit join behavior
To test the join behavior between linked data sets using a data security rule, first create a data security rule that uses a data column, as described in How to create a data security rule and assign it to a category. Then, perform the following steps. The example shows the effect of securing orders by requiring a country security ID from the Customers category.
1 Double-click the data model. The data model designer appears.
2 Create or select a data security rule using a security ID based on a data column.
3 Assign the rule to a category that does not include the data column used in the rule. The rule shown in Figure 11‑9 uses a column from the Customers category and is assigned to both the Orders and Customers categories.
Figure 11‑9 The CountryRule data security rule assigned to the Orders category
4 Open or create a report design that uses the category protected by the data security rule and that does not contain the column used in the rule. Test the rule as described in How to use BIRT Designer Professional to test a data security rule. The report shows no records if you type an Access Control List that does not include a valid data value. If you type a valid data value, a subset of records appears even though the report does not use the category that contains the column used in the rule, as shown in Figure 11‑10.
Figure 11‑10 The order report for a user having the security ID, Austria
