We have an XML Publisher template that uses a query (built in query manager) as a data source. The query uses a custom view containing confidential data. The report is to be used by managers to view information on their direct reports – this is accomplished by setting parameters on the page. Since we have to make the record available to Query, any manager that also has permission to write queries can also see the record, and thus data on employees other than the ones that report to them. The Query also has to be public, so it too will be available to anyone that has access to run queries. We’d like to be able to:
-
Make the query available only via the page (I think I’ve got this one – the page will pass an additional parameter which will be compared to in the WHERE clause of the query)
-
Hide the custom record from anyone but the query/report
We cannot use typical row-level security as a general manager should only be able to see the people that report up to them.
Thanks
To enable security over the data that is being shown when a user tries to query a particular record (using query manager), you will can use a query security record in which you could verify the user that is trying to access the data. Generally, a dynamic view is used here wherein you could check the OPRID trying to access the data, and accordingly serve the data. Querymanager picks up the query security record automatically in the sql.