Security model filter is not being honoured for DMR models against dynamic query mode
An issue has been identified within Cognos BI 10.2.1 Dynamic Query Mode (DQM) where a Dimensionally Modeled Relational (DMR) model, which utilizes session parameters via macro expressions, to restrict the data may display data for another session parameter value. This may result in a user being presented with data from another user that they should not have access to. APAR PM91904 has been logged for this issue.
Within IBM Cognos Framework Manager, a modeler can restrict the data represented by query subjects in a project by creating security filters. These security filters can be embedded within the SQL of a Data Source Query Subject or defined as filter object on a Model or Data Source Query Subject. These security filters are usually created using the Session Parameters via macro expressions in order to restrict the data based on the user who is running the report.
This issue only occurs if:
- Security Filters have been created as filter objects or embedded in the SQL within the model and utilize the session parameters via a macro expression. Some of these session paramters include but are not limited to: $account.defaultName,$account.personalInfo.userName.
- The model is Dimensionally Modeled Relational and has been published out using the Dynamic Query Mode.
- On each of the dispatchers in the environment, locate and backup the configuration/xqe/dmr.properties file.
- Open the dmr.properties file using a text editor.
- Locate the entry which reads: blockingPrePlanSameMetaDataObjects=true
- Change the true value to false. When completed, the changed entry should read: blockingPrePlanSameMetaDataObjects=false
- Save the changes and close the file.
- Stop and Restart the IBM Cognos BI Service.