Row filters
In Data Access, a row filter is a type of access control that hides all rows in a specific table or view from everyone except those who are explicitly authorized (called beneficiaries). The beneficiaries see only the rows that meet the filter criteria defined in the row filter.
You can use row filters to restrict data visibility within a table or view. Instead of blocking access to an entire table or view, you can segment its data so that different beneficiaries see different subsets of the same table or view.
The default filter criterion in a row filter is All Rows, which means that all the rows of the selected table are hidden from everyone.
Components of a row filter
A row filter is defined by the following components:
- What: Specifies the table or view whose rows you need to hide from everyone.
- Who: Specifies the filter rules, which include the filter criteria applied to the table or view, and the beneficiaries who are authorized to see the rows that match the criteria. Data Access maps beneficiaries to specific filter criteria, for example, assigning the Region = US criterion to the US Team group. The beneficiaries see the rows that match their assigned criteria, provided that they have access on the table or view. Everyone else sees zero rows in that table, even if they have Read access on the table through a role.
How a row filter works
Suppose that you have a row filter for the Employee table. The following scenarios explain how its filter criteria affect data visibility for a user named Rafi, who has Read access on the same table through a role.
| Scenario | Result |
|---|---|
| No one is assigned the All Rows filter criterion. | Rafi can see the table, but with zero rows. |
| Rafi is assigned the All Rows filter criterion. | Rafi can see all the rows in the table. |
| Rafi is assigned the Region = USfilter criterion. | Rafi can see those rows in the table where the value in the Region column is US. |
|
Rafi is assigned the Region = US or Region = UK filter criterion. |
Rafi can see those rows in the table where the value in the Region column is either US or UK. |
| Rafi is assigned the All Rows filter criterion, but his Read access on the table is revoked. | Rafi cannot see the table itself. |
| Two row filters exist for the same Employee table, and Rafi is assigned the Region = US filter criterion in the first row filter, but he is not assigned any filter criteria in the second row filter. |
Rafi can still see those rows in the table where the value in the Region column is US. |