Creating Column Filter Policies

The Column Filter Policy is a SQL Select Clause written against the SQL View of an EmpowerID component or object type, such as an account or Person, that specifies what attributes of the component can be viewed by someone with the policy. For example, one of the Column Filter Policies included with EmpowerID is the "Sample AccountView removing visibility on email" policy. This policy hides the true value of each user account's Email attribute, replacing it with "N/A" so that assignees of the policy will see "N/A" as the Email for any user accounts they view. You can create Column Filters like this to hide or substitute any attribute on an object.

This topic demonstrates how to create a Column Filter policy and is divided into the following activities:

To create the Column Filter Policy

  1. From the Navigation Sidebar, navigate to the Column Filter creation page by expanding Other and clicking Things to Do > Create > EmpowerID System Configuration > Create Column Visibility Filter.
  2. This opens the Filter Details form for the Column Visibility Filter.

  3. From theAssign Policy To drop-down, select the Actor type to whom you want to apply the policy. Actor types include the following:
    • Person - If you select this Actor type, the policy will be applied to a specific person.
    • Group - If you select this Actor type, the policy will be applied to a specific group. Each person who is a member of the group will receive the policy.
    • Business Role and Location - If you select this Actor type, the policy will be applied to a specific Business Role and Location. Each person who belongs to the Business Role and Location will receive the policy.
    • Management Role - If you select this Actor type, the policy will be applied to a specific Management Role. Each person who is a member of the role will receive the policy.
    • Management Role Definition - If you select this Actor type, the policy will be applied to a specific Management Role Definition. Each Management Role that is a child of the definition will receive the policy.
    • Query-Based Collection (SetGroup) - If you select this Actor type, the policy will be applied to a specific Business Role and Location. Each person who is a member of the collection will receive the policy.
  4. In the Assignee field that appears, do one of the following depending on the Actor type you selected.
    1. Type the name of the specific actor to whom you are assigning the policy and then click the tile for that actor to select it. For example, if you are assigning the policy to a group, you type the name of the group in the field and then click that tile.
    2. If you selected Business Role and Location as the Actor type, click the Select a Role and Location link and in the Role and Location Selector that appears, search for and select a Business Role and Location and then click Select to close the selector.
  5. In the Object Type (Component) field, type the name of the EmpowerID Component appended with "View" that has the column you want to restrict and then click the tile for that View to select it. For example, if you want to hide an attribute of a person, you type PersonView in this field.
  6. Type a name, display name and description for the policy in the Name, Display Name and Description fields, respectively.
  7. Leave the value of the Mode field as Default.
  8. In the Allowed Columns field, type a SQL statement for the filter that substitutes that attributes(s) you want to hide with another value, returning all the rest. For example, if you want to substitute the Title attribute with Private, the statement would look as follows:
  9. 'Private' AS Title, [TABLEALIAS].*

    This statement tells EmpowerID to create a new View of the Person table that replaces the Title attribute with Private. Then when a person with the policy logs in to EmpowerID and searches for another person, the value of the Title attribute will be Private.

    At this point, the Filter Details form should look similar to the following image (with variations for the selected options). In the image, we are creating a Column Filter policy that replaces the Title attribute on a Person with Private and assigning that policy to the Contractors group. In this, when a person who is a member of the Contractors group logs searches for another person, the value of the Title attribute will be set to Private. The policy will not apply to anyone who is not a member of the group.

  10. Click Save.

To test the Column Filter Policy

  1. Log out of the EmpowerID Web application and log back in as a user with the Column Filter policy.
  2. From the Home page of the Web application, search for any resource object restricted by the policy. For example, if you created a Column Filter policy that replaces the value of an attribute on a person with another value, search for people.
  3. You should see that the attribute(s) specified by the policy have been replaced with the value(s) specified by the policy. In our example, we logged in as a user who has been assigned a Column Filter policy that replaces the value of the Title attribute with Private.