View the original community article here
Last tested: March 2021
Background: Groups are given user attribute values. For example, group_USA might be given the value for the “country” user attribute as “USA”. With an access filter, users in that group will get WHERE country = “USA” for their queries.
The issue: If a user belongs to two groups, like group_USA and group_UK, each with different “country” user attribute values, this user will not inherit both user attribute values. Other types of permissions are additive with groups, but user attributes are not: one will “win out”.
To solve the scenario where someone would need access to both countries, you might think you need to create a user attribute for each combination of user attribute values. While that would work, managing all the combinations might get unwieldy. The following pattern is an alternative.
1. Create a user attribute for each possible individual value. Ex: a user attribute for every count
2. Create a group for each user attribute.
3. Assign groups to user attributes with a value to match. (User Attributes > Edit user attribute > Group values). Ex: country_uk (user attribute) gets country_uk (group) default value = “UK”
4. Add a sql_always_where that checks the database value against a list of each of the user attributes.
sql_always_where: ${users.country} IN ('{{ _user_attributes['country_usa'] }}', '{{ _user_attributes['country_uk'] }}') ;;
5. TEST STEP 1 - Edit a user and put them in multiple groups.
RESULT:
6. TEST STEP 2 - Put that user only in one group.
RESULT
:
This content is subject to limited support.