AX1848

Using the AI Tables tab to manage security for visualization reporting

Depending on the type of data model delivered by a product, the AI Tables tab can be used to manage security for the data in that model. Consult your product documentation for information on whether the AI Tables tab applies to a particular model.

Any permission changes made to the AI Tables tab do not take effect immediately. Security changes must be synchronized before they apply to the static data set used by visualization reporting.

How AI Tables security permissions work

To define security for visualization data, you can grant full or filtered access on a per table basis, for the tables used in the visualization model. This security is applied only when users are viewing data within visualization reports.

Security permissions for visualization data are not configured in the same way as table permissions set on the Tables tab. For example:

Data access in visualization reports is always read-only. Visualization reports do not support saving data. "Full access" in this context does not mean read/write access; it means the user is eligible to view all eligible data for the table within visualization reports.
Table types cannot be used when configuring security for visualization data. Security is set at the table level only.
The permissions set on the AI Tables tab have no impact on the permissions set on the Tables tab, and vice versa. For example, a user can have full access to a table within Axiom (via the Tables tab), but no access to the same table within visualization reports (via the AI Tables tab).

Additionally, the configuration of the visualization model impacts the way that security permissions are applied to tables. Generally speaking, product-delivered models are configured as follows:

Tables with lookup relationships are configured to have dependent security in visualization reporting. This means that if a table has a lookup to a reference table, any AI security filters defined on the lookup reference table apply to both tables.

For example, imagine that you have a table named Encounter with a lookup to the Entity table. If the Entity table has an AI filter defined of Entity=3000, this filter also applies to the Encounter table. This is different from regular Axiom table security, where filters defined on lookup reference tables only apply when the lookup reference table is the primary table for the query.
Models are configured so that AI security can be set on certain important reference tables. This security is then inherited by other tables that look up to these securable tables. This simplifies the security setup and allows full use of business intelligence features within reports.
If a table in the model is not flagged as securable, and does not look up to a securable table, then all users have access to the data in that table within visualization reports. This should be reserved for supporting tables that do not contain financial data or other sensitive data.

Role inheritance and subsystem restrictions work as normal for AI Tables permissions.

Configuring security using the AI Tables tab

Access to data in visualization reports is controlled using the AI Tables tab. You can configure permissions at the user and/or role level. If subsystems are used, the subsystem must also configure permissions on this tab, to define the boundary of allowed permissions for users in that subsystem.

The left-hand side of the tab lists the tables that have been flagged as "securable" in the visualization model. As discussed in the previous section, product-delivered models are typically configured so that only important reference tables are configured as securable. Any security defined on these reference tables applies to the reference table itself, and any tables that look up to the reference table.

When you select a table in the list, you can configure the security settings for the user or role within the Configured Permissions section in the right-hand side of the tab.

Example AI Tables tab

For each table, you can grant full or filtered access to its data as follows:

Item	Description
Full AI Access	Selecting this option means the user is eligible to view all data in this table, within visualization reports. If this option is enabled, the AI Filter box is hidden because it no longer applies.
AI Filter	Defining a filter means the user is eligible to view all data in the table that meets the filter, within visualization reports. To define a filter, type the filter into the Filter box, or use the Filter Wizard . After defining a filter, you can validate the filter syntax by clicking the Validate filter button .

Item

Description

Full AI Access

Selecting this option means the user is eligible to view all data in this table, within visualization reports.

If this option is enabled, the AI Filter box is hidden because it no longer applies.

AI Filter

Defining a filter means the user is eligible to view all data in the table that meets the filter, within visualization reports.

To define a filter, type the filter into the Filter box, or use the Filter Wizard . After defining a filter, you can validate the filter syntax by clicking the Validate filter button .

As discussed in the previous section, the user's eligibility to view data from a table may be further impacted by the security permissions set on tables with lookup relationships. For example, a user might have Full AI Access enabled for the Dept table, but if that table looks up to another securable table, then the ability to view data in the Dept table is also impacted by the user's permissions on the lookup reference table.

If neither option is configured, then the user has no access to data in the table, within visualization reports.

Synchronizing security updates

When the visualization model and data are initially synchronized, the current security settings as defined on the AI Tables tab are applied as well. If any changes are made in Axiom security that impact access to visualization data, these changes must be synchronized or else they will not take effect in visualization reports.

The following types of security changes affect visualization reporting:

Any changes to the AI Tables tab, for any user, role, or subsystem
Adding a user to a role or a subsystem, if the role or subsystem has defined permissions on the AI Tables tab
Removing a user from a role or a subsystem, if the role or subsystem has defined permissions on the AI Tables tab

When you save security settings in the Security Manager dialog, or using Open Security in Spreadsheet, or using a Save Type 4 report, the security settings are automatically synchronized with visualization reporting. This means that saving security may take longer in systems with visualization reporting enabled.