How to use sysFilters in data schemas
When you run multiple business units on a single Adobe Campaign Classic application, it is beneficial to restrict operators from accessing other business units’ data.
We all know that restricting data on form views and with folder access restrictions may not always be successful. The only bulletproof method of managing write or read access rights for operators is also additionally employing the feature called sysFilter.
If any condition in your sysfilter is evaluated as true, the corresponding expressions will be applied to every query you make to the data schema where the sysfilter is applied.
We have two levels at which we can control access to schemas:
readAccess– grants read-only access to schema data.writeAccess– grants write access to schema data.
NOTE: Data schemas in Adobe Campaign Classic are universal database definitions written in XML. They describe the SQL structure and relations to other tables.
You can define sysFilters, in every data schema, for read and write access separatelly:
<!- read access -->
<sysFilter name="readAccess">
<condition enabledIf="hasNamedRight('admin')=false">
<condition enabledIf="hasNamedRight('GermanyRecipientAccess')=true" expr="(Lower([country/@isoA2])='de'"/>
</condition>
</sysFilter>
<!- write access -->
<sysFilter name="writeAccess">
<condition enabledIf="hasNamedRight('admin')=false">
<condition enabledIf="hasNamedRight('GermanyRecipientAccess')=true" expr="(Lower([country/@isoA2])='de'"/>
</condition>
</sysFilter>When you will use sysFilter without above mentioned name attributes, it will restrict both read and write data access to applied data schema.
It is good practice to use sysfilter to every linked table in which you have applied sysfilters to.
We can use only three types of dynamic parameters in our conditions that will enable/disable filtering rules defined in expression
$(loginId)– gives you the current operator id accessing the schema. Internal user’s operator id is 0hasNamedRight()– checks whether current operator has named right assigned to them.- $(/schema/@fieldName) – checks condition within schema fields.
The last one I’ve recently discovered while browsing server files, completely unrelated to my initial search. It miraculously popped up, catching me by surprise
Last thing that need anwering is that I am not able to find any other dynamic conditions that can be used to check an operator’s attributes, such as group, country, or business unit they belong to. While these conditions may exist, I have not come across them. If you have more information, please share it in the comments.
In the expression – expr attribute – that filters the data shown to the operator, you can use any of the actual schema-defined attributes
You can also nest conditions similarly to queries, but there is no booleanExpression, and all conditions will be evaluated together with AND. So when multiple conditions are evaluated as true, your filter will have more conditions added to the WHERE clause, and it might happen that the filter will show less or no data.
<condition enabledIf="hasNamedRight('admin')=false AND hasNamedRight('GlobalDataAccess')=false">
<condition enabledIf="hasNamedRight('GermanyRecipientAccess')=true" expr="(Lower([country/@isoA2])='de'"/>
<condition enabledIf="hasNamedRight('SwitzerlandRecipientAccess')=true" expr="(Lower([country/@isoA2]) ='ch'"/>
<condition />
<condition />
<condition />
</condition>
