Hierarchy Position Security
In the Retail Insights (RI) and AI Foundation (AIF) applications, position-level security is managed using database tables
and associated flat file loads. Unlike RPAS application position security, the data provided through this process is more
like data filtering; it is not a guaranteed limit to the user’s access in all cases. The data-level security mapping is provided
though interface files: RAF_SEC_USER.dat
, RAF_SEC_GROUP.dat
, RAF_SEC_USER_GROUP.dat
, RAF_FILTER_GROUP_MERCH.dat
, and RAF_FILTER_GROUP_ORG.dat
. If you are accessing the tables
from APEX, then the table name is the same as the filename without the extension (such as RAF_SEC_USER
).
The security tables exist in multiple database schemas, so specify the application user when querying or writing to the tables
(RADM01
or RASE01
user schemas for RI and AIF, respectively).
-
RAF_SEC_USER.dat
contains theUSER_ID
(LDAP ID) for any user who has data access limits defined -
RAF_SEC_GROUP.dat
contains theGROUP_ID
to group together multiple sets of users having the same access levels. -
RAF_SEC_USER_GROUP.dat
contains the mapping betweenUSER_ID
andGROUP_ID
. Individual users are not assigned data permissions, it is done with security groups. -
RAF_FILTER_GROUP_MERCH.dat
contains the access mapping between any merchandise hierarchy level, Merch ID on that level, and the GROUP IDs. This mapping defines what the group is allowed to access. Anything not included is restricted. -
RAF_FILTER_GROUP_ORG.dat
contains the access mapping between Organization hierarchy level, Org ID on that level, and the GROUP IDs. This mapping defines what the group is allowed to access. Anything not included is restricted.
If a user is not mapped into any of these files, then they have full access to the data in RI and AIF applications. If a user runs a report in RI that is above the security level (such as a Division level report when the security settings are at Department level) then they will get all data from the database returned without restriction, as it is not possible to filter the report at levels above the security level. The data filtering does not apply to custom datasets built using DV, nor does it apply to queries run in Innovation Workbench. You are expected to limit the user’s access to these tools if you do not want them to have unrestricted data access.
If you do not wish to use the files and want to populate the data from APEX instead, separate functionality is provided to do so. Refer to the “Extensibility” chapter of the RAP Implementation Guide for more details.