1. Security Guide
  2. AI Foundation Security Features
  3. Hierarchy Position Security

Hierarchy Position Security

In the Retail Insights (RI) and AI Foundation (AIF) applications, position-level security is managed using database tables and associated flat file loads. Unlike RPAS application position security, the data provided through this process is more like data filtering; it is not a guaranteed limit to the user’s access in all cases. The data-level security mapping is provided though interface files: RAF_SEC_USER.dat, RAF_SEC_GROUP.dat, RAF_SEC_USER_GROUP.dat, RAF_FILTER_GROUP_MERCH.dat, and RAF_FILTER_GROUP_ORG.dat. If you are accessing the tables from APEX, then the table name is the same as the filename without the extension (such as RAF_SEC_USER). The security tables exist in multiple database schemas, so specify the application user when querying or writing to the tables (RADM01 or RASE01 user schemas for RI and AIF, respectively).

  • RAF_SEC_USER.dat contains the USER_ID (LDAP ID) for any user who has data access limits defined

  • RAF_SEC_GROUP.dat contains the GROUP_ID to group together multiple sets of users having the same access levels.

  • RAF_SEC_USER_GROUP.dat contains the mapping between USER_ID and GROUP_ID. Individual users are not assigned data permissions, it is done with security groups.

  • RAF_FILTER_GROUP_MERCH.dat contains the access mapping between any merchandise hierarchy level, Merch ID on that level, and the GROUP IDs. This mapping defines what the group is allowed to access. Anything not included is restricted.

  • RAF_FILTER_GROUP_ORG.dat contains the access mapping between Organization hierarchy level, Org ID on that level, and the GROUP IDs. This mapping defines what the group is allowed to access. Anything not included is restricted.

If a user is not mapped into any of these files, then they have full access to the data in RI and AIF applications. If a user runs a report in RI that is above the security level (such as a Division level report when the security settings are at Department level) then they will get all data from the database returned without restriction, as it is not possible to filter the report at levels above the security level. The data filtering does not apply to custom datasets built using DV, nor does it apply to queries run in Innovation Workbench. You are expected to limit the user’s access to these tools if you do not want them to have unrestricted data access.

If you do not wish to use the files and want to populate the data from APEX instead, separate functionality is provided to do so. Refer to the “Extensibility” chapter of the RAP Implementation Guide for more details.