Bookshelf Home | Contents | Index | Search | PDF

Siebel Analytics Server Administration Guide > Security >

Query Execution Privileges

---

The Siebel Analytics Server allows you to exercise a fine degree of control over the information in a repository that a user can access.

Controlling Query Privileges

Controlling users' query privileges allows you to manage the query environment to the extent that you desire. You can put a high degree of query controls on users, no controls at all, or somewhere in between. Some types of activities you may want to limit are:

Controlling runaway queries.
Restricting users to certain rows or certain columns.
Restricting query access to certain time periods.

All restrictions and controls can be made at the user level, at the group level, or a combination of the two. The next section provides details about setting up query execution privileges.

Specifying Query Execution Privileges

The following procedure explains how to specify explicit query privileges for a user or group.

To specify explicit query privileges

To specify rights for a user or a group explicitly, click Permissions in either the User or Group dialog box.

The User/Group Permissions dialog box appears.

By clicking Add, you can choose any object in the repository and explicitly allow or disallow access to the object. If the box in the Read column has a check mark in it, the user or group is granted read privileges on the object. If the box in the Read column has an X through it, the user is disallowed read privileges on the object. If the box in the Read column is blank, no action is taken on the object; that is, any existing privileges (for example, through a group) on the object apply.

If you explicitly deny access to an object that has child objects, the child objects are also denied access. For example, if you explicitly deny access to a particular physical database object, you are implicitly denying access to all of the physical tables and physical columns in that catalog.

NOTE:  If a user or group is granted or disallowed privileges on an object from multiple sources (for example, explicitly and through one or more groups), the privileges are used based on the order of precedence, as described in Group Inheritance.

To set limits explicitly on the time periods when the user or group has access, the number of rows returned, or the maximum database processing time for each of the underlying databases, open the Query Limits tab of the User/Group Permissions dialog box.
To specify a maximum number of rows each query can retrieve from a database, specify a number of rows in the Max Rows column and change the Status Max Rows to either Enable, Warn, or Ignore:
Enable. This limits the number of rows to the value specified. If the number of rows exceeds the Max Rows value, the query is terminated.
Warn. If the row limit is reached, a message will be logged in the NQServer.log file, and in the NQQuery.log file if logging is enabled for the user. The query will continue to run. The Siebel Analytics Server administrator can use the information in the log entry to identify the query.
Ignore. Limits will be inherited from the parent group. If there is no row limit to inherit, no limit is enforced.

To disable any limits, set the Status Max Row setting to Disable.

To specify the maximum time a query can run on the database, enter a time in the Max Time column and change the Status Max Time to either Enable, Warn or Ignore. These options are identical to those for limiting the number of rows returned.
To restrict access to a database during particular time periods, click on the button in the Restrict column to open the Restrictions dialog box.
To explicitly allow access during a particular time period of the week, select the time period and click Allow.
To explicitly disallow access during a particular time period of the week, select the time period and click Disallow.
If a time period is not selected, access rights remain unchanged; if access is allowed or disallowed explicitly and in one or more groups, the user is granted the least restrictive access for time periods that are defined. For example, suppose a user is explicitly allowed access all day on Mondays, but belongs to a group that is disallowed access during all hours of every day. This means that the user will have access on Mondays only.
To specify a filter to apply to an object, open the Filters tab of the User/Group Permissions dialog box.
Add an object to filter by clicking the Add button, navigating to the object you want to filter in the Browse dialog box, and double-clicking on the object. After selecting the object, it appears in the list in the User/Group Permissions Filters dialog box.
Click the Expression Builder button to the right of the Business Model Filter cell corresponding to the object you want to filter.
Use the Expression Editor to create a logical filter.

The Status column indicates if the filter is in use and has the following values:

Enable. The filter is applied to any query that accesses the object.
Disable. The filter is not used and no other filters applied to the object at higher levels of precedence (for example, through a group) are used.
Ignore. The filter is not in use, but any other filters applied to the object (for example, through a group) are used. If no other filters are enabled, no filtering will occur.

Bookshelf Home | Contents | Index | Search | PDF