Save Data Security Rules
Resources
Below is an example of JSON structure which can be used as a reference for the rulesJson parameter in the request body.
{
"rules":[
{
"name":"Allow All Columns",
"repositDate":0,
"id":"RULE_ALLOW_ALL_COLUMNS",
"globalType":2,
"desc":"This rule specifies that no column level security is applied. The user will be allowed all columns ignoring any other column level security for this user."
},
{
"name":"Allow All Rows",
"repositDate":0,
"id":"RULE_ALLOW_ALL_ROWS",
"globalType":1,
"desc":"This rule specifies that no row level security is applied. The user will be allowed all rows ignoring any other row level security for this user."
},
{
"rowLevel":{
"filters":[
{
"filter":[
{
"isMemberValue":true,
"fieldName":"MEASURE_371053",
"firstValue":{
"content":"5"
},
"searchContext":"ALL",
"includeCurrent":false,
"useField":false,
"fieldDisplayName":"weight",
"relation":"AND",
"useFieldType":"VALUE",
"isAppliedOnDisplayField":true,
"delimiter":"^`~",
"secondValue":{
"content":""
},
"valueType":"predefined",
"id":"f1",
"nonVisual":false,
"firstDisplayValue":"5",
"suspend":false,
"isParameter":false,
"valueBy":"VALUE",
"dataType":"NUMBER",
"topNDisplayValue":"",
"endEnclosure":"",
"isSearchFilter":false,
"field":"",
"sortOrder":"ASC",
"startEnclosure":"",
"filterType":"ADVANCE",
"showInDataCard":false,
"secondDisplayValue":"",
"operation":"GREATER_THAN",
"fieldType":"MEASURE",
"isIncludedForContextSearch":true
}
]
}
]
},
"name":"New-rule",
"repositDate":0,
"id":"RULE_17754804815658127093067137855675",
"globalType":0,
"desc":""
},
{
"columnLevel":{
"fields":{
"field":[
{
"name":"accountid",
"id":"DIM_514101!!!DIMENSION_ATTRIBUTE_882036",
"type":"ATTRIBUTE"
},
{
"name":"account",
"id":"DIM_514101",
"type":"DIMENSION",
"restrict":"DATA_AND_METADATA"
},
{
"maskingInfo":{
"maskValue":{
"type":"FIX",
"value":"-1"
}
},
"name":"weight",
"id":"MEASURE_907901",
"type":"MEASURE",
"restrict":"MASK_DATA"
}
]
}
},
"rowLevel":{
"filters":[
{
"filter":[
{
"isMemberValue":true,
"fieldName":"DIM_514101!!!DIMENSION_ATTRIBUTE_882036",
"firstValue":{
"content":"'A41'"
},
"searchContext":"ALL",
"includeCurrent":false,
"useField":false,
"fieldDisplayName":"accountid",
"relation":"AND",
"useFieldType":"VALUE",
"isAppliedOnDisplayField":true,
"delimiter":"^`~",
"secondValue":{
"content":""
},
"valueType":"predefined",
"id":"f1",
"nonVisual":false,
"firstDisplayValue":"A41",
"suspend":false,
"isParameter":false,
"valueBy":"VALUE",
"dataType":"CHAR",
"topNDisplayValue":"",
"endEnclosure":"",
"isSearchFilter":false,
"field":"",
"sortOrder":"ASC",
"startEnclosure":"",
"filterType":"ADVANCE",
"showInDataCard":false,
"secondDisplayValue":"",
"operation":"INLIST",
"fieldType":"DIMENSION",
"isIncludedForContextSearch":true
}
]
}
]
},
"name":"second-new-rule",
"repositDate":0,
"id":"RULE_17778799388428127041054164258650",
"globalType":0,
"desc":"this is the second new rule"
}
]
}JSON Fields Description
Field | Type | Description | Possible Values | Example |
rules | Array | Root array containing data security rule definitions for the semantic model | Array of Rule objects | [{...}] |
rules[].id | String | Unique identifier for this data security rule. Auto-generated if not provided for new rules | GUID or empty for new rules | "rule_17764122062715" |
rules[].name | String | Human-readable name for the data security rule. Used for identification and management in UI | Any descriptive name | "Sales Region Access Rule" |
rules[].desc | String | Detailed description explaining the purpose and scope of this security rule | Free-form text | "Restricts sales data access by region" |
rules[].globalType | Integer | Indicates whether rule was created from engine (system-generated) or manually. 0=NONE (user-created) | 0 (NONE), other integers | 0 |
rules[].repositDate | Long | Unix epoch timestamp (milliseconds) of last modification | Numeric value | 0 |
rules[].rowLevel | JSON Object | Container for row-level security configuration. Defines filters that restrict which rows of data users can access | - | {...} |
rules[].rowLevel.filters | Array | Array containing filter group objects for row-level security | Array of Filters objects | [{...}] |
rules[].rowLevel.filters[].filter | Array | Array of individual filter definitions within this filter group | Array of Filter objects | [{...}] |
rules[].rowLevel.filters[].filter[].id | String | Unique identifier for this filter | Filter ID string | "f1" |
rules[].rowLevel.filters[].filter[].fieldName | String | Fully qualified name of the field to filter on. For dimensions, use MDX format like [Dimension].[Hierarchy].[Level] | MDX field name | "[Geography].[Region].[Region]" |
rules[].rowLevel.filters[].filter[].fieldDisplayName | String | Human-readable display name of the field for UI purposes | Any descriptive name | "Region" |
rules[].rowLevel.filters[].filter[].fieldType | String | Type of field being filtered | "DIMENSION", "MEASURE" | "DIMENSION" |
rules[].rowLevel.filters[].filter[].dataType | String | Data type of the field values | "CHAR", "NUMBER", "DATE" | "CHAR" |
rules[].rowLevel.filters[].filter[].operation | String | Filter operation to apply | "INLIST", "NOTINLIST", "EQUAL_TO", "NOT_EQUAL_TO", "GREATER_THAN", "LESS_THAN", "GREATER_THAN_EQUAL_TO", "LESS_THAN_EQUAL_TO", "BETWEEN", "CONTAINS", "STARTSWITH", "ENDSWITH", "ISNULL", "ISNOTNULL" | "INLIST" |
rules[].rowLevel.filters[].filter[].firstValue | String | Primary filter value. For INLIST/NOTINLIST, use delimiter-separated values. For BETWEEN, this is the lower bound | Filter value(s) | "North!!!South" |
rules[].rowLevel.filters[].filter[].firstDisplayValue | String | Display value corresponding to firstValue for UI purposes | Display value(s) | "North!!!South" |
rules[].rowLevel.filters[].filter[].secondValue | String | Secondary filter value. Used for BETWEEN operation as upper bound | Filter value | "" |
rules[].rowLevel.filters[].filter[].secondDisplayValue | String | Display value corresponding to secondValue | Display value | "" |
rules[].rowLevel.filters[].filter[].valueDelimiter | String | Delimiter used to separate multiple values in firstValue for INLIST/NOTINLIST operations | Delimiter string | "!!!" |
rules[].rowLevel.filters[].filter[].relation | String | Logical relation with the next filter in the array | "AND", "OR", "NONE" | "AND" |
rules[].rowLevel.filters[].filter[].startEnclosure | String | Opening parenthesis for grouping filters in complex expressions | "(", "" | "" |
rules[].rowLevel.filters[].filter[].endEnclosure | String | Closing parenthesis for grouping filters | ")", "" | "" |
rules[].rowLevel.filters[].filter[].isMemberValue | Boolean | Whether the filter value represents a dimension member (true) or a raw value (false) | TRUE, FALSE | TRUE |
rules[].rowLevel.filters[].filter[].isAppliedOnDisplayField | Boolean | Whether the filter is applied on the display field (true) or the key field (false) | TRUE, FALSE | TRUE |
rules[].rowLevel.filters[].filter[].isActive | Boolean | Whether this filter is currently active and should be applied | TRUE, FALSE | TRUE |
rules[].rowLevel.filters[].filter[].filterType | String | Classification of filter type | "QUICK", "ADHOC" | "QUICK" |
rules[].rowLevel.filters[].filter[].valueType | String | Type of value being used in the filter | "predefined", "custom", "dynamic", "parameter" | "custom" |
rules[].rowLevel.filters[].filter[].valueBy | String | How the filter value is determined | "VALUE", "FIELD", "PARAMETER" | "VALUE" |
rules[].rowLevel.filters[].filter[].isParameter | Boolean | Whether this filter accepts dynamic parameter values at runtime | TRUE, FALSE | FALSE |
rules[].rowLevel.filters[].filter[].firstParameterValue | String | Parameter reference for dynamic first value | Parameter reference | "" |
rules[].rowLevel.filters[].filter[].secondParameterValue | String | Parameter reference for dynamic second value | Parameter reference | "" |
rules[].columnLevel | JSON Object | Container for column-level security configuration. Defines which columns/fields are restricted or masked for users | - | {...} |
rules[].columnLevel.fields | JSON Object | Container for field definitions in column-level security | - | {...} |
rules[].columnLevel.fields.field | Array | Array of field definitions specifying which columns are restricted | Array of Field objects | [{...}] |
rules[].columnLevel.fields.field[].id | String | Unique identifier of the field being restricted. This is the field's unique name from the semantic model | Field unique name | "[Measures].[Salary]" |
rules[].columnLevel.fields.field[].name | String | Display name of the field being restricted | Field display name | "Salary" |
rules[].columnLevel.fields.field[].type | String | Type of field being restricted | "MEASURE", "DIMENSION", "LEVEL", "ATTRIBUTE" | "MEASURE" |
rules[].columnLevel.fields.field[].restrict | String | Type of restriction to apply. DATA=hide data only, DATA_AND_METADATA=hide field completely, MASK_DATA=show masked values, CONDITIONAL_MASK_DATA=mask based on conditions | "DATA", "DATA_AND_METADATA", "MASK_DATA", "CONDITIONAL_MASK_DATA" | "DATA" |
rules[].columnLevel.fields.field[].maskingInfo | JSON Object | Configuration for data masking when restrict is MASK_DATA or CONDITIONAL_MASK_DATA | - | {...} |
rules[].columnLevel.fields.field[].maskingInfo.maskValue | JSON Object | Masking value configuration | - | {...} |
rules[].columnLevel.fields.field[].maskingInfo.maskValue.type | String | Type of masking to apply. FIXED=replace with fixed value, REGEX=apply regex pattern | "FIXED", "REGEX", "PARTIAL" | "FIXED" |
rules[].columnLevel.fields.field[].maskingInfo.maskValue.value | String | The mask value to display instead of actual data | Mask value string | "****", "HIDDEN" |
rules[].columnLevel.fields.field[].maskingInfo.maskValue.regex | String | Regular expression pattern for REGEX masking type | Regex pattern | "^(.{2}).*(.{2})$" |
rules[].columnLevel.fields.field[].maskingInfo.filters | JSON Object | Container for conditional masking filters. Only used when restrict is CONDITIONAL_MASK_DATA | - | {...} |
rules[].columnLevel.fields.field[].maskingInfo.filters.filter | Array | Array of filter definitions that determine when masking is applied | Array of Filter objects | [{...}] |
rules[].columnLevel.fields.field[].maskingInfo.filters.filter[].id | String | Unique identifier for this masking condition filter | Filter ID | "f1" |
rules[].columnLevel.fields.field[].maskingInfo.filters.filter[].fieldName | String | Field name for the masking condition | MDX field name | "[Employee].[Department].[Department]" |
rules[].columnLevel.fields.field[].maskingInfo.filters.filter[].fieldDisplayName | String | Display name of the condition field | Display name | "Department" |
rules[].columnLevel.fields.field[].maskingInfo.filters.filter[].fieldType | String | Type of condition field | "DIMENSION", "MEASURE" | "DIMENSION" |
rules[].columnLevel.fields.field[].maskingInfo.filters.filter[].dataType | String | Data type of condition field | "CHAR", "NUMBER", "DATE" | "CHAR" |
rules[].columnLevel.fields.field[].maskingInfo.filters.filter[].operation | String | Filter operation for the condition | "INLIST", "NOTINLIST", "EQUAL_TO", etc. | "INLIST" |
rules[].columnLevel.fields.field[].maskingInfo.filters.filter[].firstValue | String | Value(s) for the masking condition | Filter value(s) | "HR!!!Finance" |
rules[].columnLevel.fields.field[].maskingInfo.filters.filter[].firstDisplayValue | String | Display value for the condition | Display value | "HR!!!Finance" |
rules[].columnLevel.fields.field[].maskingInfo.filters.filter[].valueDelimiter | String | Delimiter for multiple values | Delimiter string | "!!!" |
rules[].columnLevel.fields.field[].maskingInfo.filters.filter[].relation | String | Logical relation with next filter | "AND", "OR", "NONE" | "AND" |