Overview
Secured Variables resolve to values based on the User that is logged into the system. They are derived from an individual User or a User’s Domain. They are applied to queries in the pipeline like Node Variables, but their values are based on a User’s identity rather than a record in the underlying dataset.
Note: Secured variables are limited to 4000 characters.
Default Secured Variables
Default Secured Variables can be treated two different ways within the system:
- They can be used to simply validate sources, which requires an admin to set up different Secured Variables for Domains or Users.
- They can be applied as defaults for all Users, which makes setting Secured Variables for Domains and Users optional.
Creating a Default Secured Variable
A default Secured Variable has to be created before the Secured Variable options show up for Domains and Users.
To create a default Secured Variable, select “Manage By: Defaults”, and then click on the “Secured Variables” tab.
The following actions are available via footer controls:
Action | Description |
---|---|
Add a new Secured Variable. Adding a new default secured variable will cause it to show up as an option for all Domains and Users. | |
Edit an existing Secured Variable. This action requires first selecting a Secured Variable. | |
Delete a Secured Variable from the system. Deleting a default secured variable is a global action that affects Domains and Users. This action required first selecting a Secured Variable. Note: Deleting a default Secured Variable will also remove that Variable from the system. Attempting to delete a Secured Variable which is still referenced will be blocked, and any remaining references will be listed. |
Adding a “Default” Secured Variable
Adding a global Secured Variable will cause new Secured Variables to show up on the User and Domain Provisioning views.
Property | Description |
---|---|
Name | Symbolic name to use for this Variable. This label will be displayed on the User and Domain Provisioning views. |
Validation Value | Static: This option takes a STRING value. STRING values will always be used as the default value, regardless of who is logged in. Expression: This option binds the default value to session information. The resulting value will vary based on who is logged in. |
Value Usage | This setting determines how the Secured Variable will be used. Use for validation only: This value will only be used to validate endpoints. It will not be inherited as a default for Domains or Users. With this option selected, a separate value must be set for a User, or a User’s Domain. Use as a default value: This value will be used to validate endpoints, as well as a default value for all Users. This “default” value can be overwritten at the User or Domain level. |
Adding Secured Variables for Users and Domains
Once a default Secured Variable has been created, an administrator can set up different values to use for individual Users, or for groups of users (Domains).
- Select “Manage By: Domains”
- Click a Domain Name (left panel)
- Select the “Secured Variables” tab (right panel)
- Click on the Secured Variable to add (right panel)
- To set a different value, click the “Edit” icon (right panel)
Properties
Properties | Description |
---|---|
Inherited | This option determines whether to inherit a global default for the selected Domain. Yes – the default value for this Security Variable will be inherited from the globally defined default value. No – This new property will be used to override the global Default Value with a unique value for this Domain. This enables Value property. |
Default Value | Shows the globally defined “Default” value for this Secured Variable. This value is in effect when “Inherited” is set to “Yes”. |
Value | This Property will appear when “Inherited” is set to “No”. The value entered for this property will override the globally defined Default Value. It can be set two different ways: Static – Manually enter a STRING value. Expression: Derive the value from a common object in the system, such as the login name for a user. |
Inheriting Default Values
When inheriting values for Secured Variables, the “Default Value” will be displayed as a reference.
When trying to inherit a Secured Variable that has no default value set, a warning message will appear in place of the “Default Value”.
Overriding Secured Variables
Overriding Secured Variables can be done statically, with a STRING value.
A more advanced “Expression” option is also available to dynamically create values based on common objects, such as the login name for a User.
Applying Secured Variables in Queries and Sprints
To take advantage of the Secured Variables that have been configured, they have to be introduced into queries using the Insert → Secured Variable button. This is done in the pipeline.
The example below assumes we have information from multiple companies, and that the administrator wants to limit those records based on the company a specific user works for. The resulting query would look something like this:
select * from {src.AllEvents} where CompanyID = {secVar.CompanyName}
The green block used in the where clause shows a Secured Variable. The CompanyName Secured Variable will resolve to the value set up in the provisioning interface. For example:
- If “User1@CompanyA” logs in, they will see only events for Company A.
- If “User1@CompanyB” logs in, they will see only events for Company B.
Because the Secured Variable is used inside of a WHERE clause, it will act as a filter. The CompanyName Secured Variable will evaluate based on the user that is logged into the system. Depending on how the provisioning has been set up, CompanyName will resolve to one of the following:
- Default value
- Domain value
- User value
The order is important here. A value set at the user level with override the Domain value, and a value set at the Domain level will override the default value.