Using IDO filters to limit user access
To restrict the data that the user can see, you can place filters on the IDO. Any user client that accesses the application can then view an appropriate subset of the data in the collection, based on the filters applied to the IDO. IDO filters can be general, that is, applied to the IDO when anyone accesses it, or they can be constrained by user IDs or groups.
For example, you can create a filter so that sales personnel can view only their own opportunities and not those of other salespeople. Or you can create a filter so that your customers who log into the application through a portal can see limited information about their orders.
To turn filters on and off as needed, for example, during testing, use the Active check box.
You can access (and edit) IDO filters using the Row Authorizations form, which can be launched using any of these methods:
- On the IDOs form, click to open the form filtered on the selected IDO.
- On the Users form, click either of the buttons labeled .
The button near the button opens the Row Authorizations form filtered for the selected user. The button near the bottom, next to the button (Groups tab) opens the Row Authorizations form filtered on the group select in the grid.
- On the Groups form, click either of the buttons labeled
.
The button near the button opens the Row Authorizations form filtered for the selected group. The button near the bottom, next to the button, opens the Row Authorizations form filtered on the user select in the grid.
- Use the Mongoose Explorer.
Notes regarding IDO filters
- When logged in as a Super User, you always see unfiltered data.
- When you display an IDO collection on a form, you can tell whether IDO filters have been applied by opening the About This Form dialog box. Any applied filters are listed in the dialog box.
- The IDO filter is an additional clause that is added to the pseudo-SQL WHERE clause which is transformed by the runtime into the SQL used to load the collection. The filters for an IDO are loaded with the rest of the metadata, so they are cached with the metadata objects. When the collection is loaded, the SQL command builder uses the metadata to add the IDO-level filter clauses to the WHERE clause, unless the load bypasses the filters (is loaded by a super user).
- The complete IDO filter
specification is built by using AND clauses with any or all of these filters:
- The general IDO filter, where both User and Group are blank
- The user's IDO filter, where User is set to the current login
- The IDO filters for the user's group, where Group is set to any of the current user's group memberships. (The group filters use Boolean OR statements, because the user should be able to see the rows visible to any of the groups that user belongs to.)
- Placing many individual user filters on an IDO requires a lot of setup and maintenance time for the system administrator. Where possible, include multiple users in a group or cross-reference table, and then apply the filter to the group or the table join.
- Be aware that, when you use filters on IDOs that have multiple levels of IDO inheritance, or when you have users who are members of many groups that each have filters, the filter clauses can accumulate to the point where performance might suffer.
- Look at the pseudo-SQL query that is produced. If any of the columns in the query are not indexed, it can affect processing time. Compare the pseudo-SQL query to the original query that existed before you set up Row Authorizations, to determine the outcome of the additional filtering. You can view the pseudo-SQL query using the Log Monitor utility or the IDO Runtime Development Server.