Query Security
Query security is set for each query individually by the Query creator, or the Query modifier. You can see all of your security options on the Security tab of each individual query.
Note: This Security tab is available only if the QuerySecurity system option is set to true.
Query security is based on an initial choice. You must choose one of the following and then set your specifics from there:
- Allow All: all groups can view and run this Query
- Deny All: no groups can view and run this Query, except the most recent query creator or modifier, and the groups specified in the SecurityUtilsPrivilegedGroups system option.
You can then choose to deny or allow a user group, or many user groups, the ability to view and run a query from the Query Tool and Query Central.
Allowing a Few Groups
If you want to deny most users and allow just a few groups, use the following steps:
- Setup your Query. For steps, see the Query topic.
- Go to the Security tab.
- Select the Deny All radio button. In the Denied Groups box below, -All- appears. Even if you select Deny All, the following groups are still able to view and run the query:
- the most recent query creator or modifier
- the groups specified in the SecurityUtilsPrivilegedGroups system option
- Select a user group to allow from the Group List drop-down list.
- Click the Allow Selected Group button. The selected user group appears in the Allowed Groups box.
- Repeat steps 4 and 5 for all the user groups you want to allow.
- To remove a group from the Allowed Groups box, select the group in the box and click the Remove Group button below the box. The group is removed from the Allowed Groups box.
Denying a Few Groups
If you want to allow most users and deny just a few groups, use the following steps:
- Setup your Query. For steps, see the Query topic.
- Go to the Security tab.
- Select the Allow All radio button. In the Allowed Groups box below, -All- appears.
- Select a user group to deny from the Group List drop-down list.
- Click the Deny Selected Group button. The selected user group appears in the Allowed Groups box.
- Repeat steps 4 and 5 for all the user groups you want to deny.
- To remove a group from the Denied Groups box, select the group in the box and click the Remove Group button below the box. The group is removed from the Denied Groups box.
Query Security Technicalities
- What if a user belongs to multiple groups? A user can view and run a query if he or she is in at least one group that has not been denied the query.
Example: If a user is in Groups A, B, and C, and the query is denied to Groups A, B, and Z, then the user is able to run the query because he or she is in Group C. If a different user is in only Groups A and Z, then he or she is not able to run the query.
- If a user is a super user, this does not override Query Security. The super user characteristic is irrelevant to this case.
-
Queries observe Group Table Privilege and Group Column Privilege setup. Even if the user can run a query, if the user does not have select access to a Table or Columns then they won't be allowed to use them in the query.
FAQ
Q. What happens if a user loads an audience containing a denied query?
A. Audience observes query security. If a user loads an audience containing a denied query, then that query block is empty and the audience does not function as intended.
Q. Is there a way to prevent a user from modifying a saved query? They should be allowed to run the query, just not modify it.
A. The only way to do this is to put users in Groups that can access Query Central but not the actual query links to the query designer. If you do this, however, these users will not be able to develop any of their own queries.
Q. Does Query Security work through xWeb?
A. Query Security applies as well to the GetDynamicQuery web method, based on the xWeb User.