Data security for reports

AD
DM
DS
ST

Data visibility profiles and inbox task groups play a significant role in controlling the data that can be viewed and downloaded in report results.

Key points for report permissions:

  • Data visibility profiles restrict the ability to view and download results.
  • Inbox groups restrict access to change requests and suspect match reporting tables.
  • Dynamic access control rules can restrict results for custom object data.
  • By default, the SQL Query Editor can only be used by Data Managers, Administrators, and System and Data Admins. Administrators and System and Data Admins can add permission for individual users of other types.
  • Saved report results depend on whether the report is scheduled or is manually run.
    • Scheduled - Uses the report permissions of the user that last edited the report. All report viewers see the same information if the report is scheduled.
    • Manually run - The report results are based on the report permissions of the user that ran the report.

Basic reporting is available for all users; data visibility profiles control who can download the results.

Note: Data visibility profiles and inbox groups do not impact opted-out records; opted-out records will always be masked in report results.

Data type restrictions

Report results are limited by data type restrictions.

Data Type Tables

Restrictions

 lAvailability

HCPs and HCOs

(Customer Master)

 Data visibility profiles – Restricted by country and HCP/HCO filters. Fields not restricted in SQL queries.

Sub-objects are restricted based on the related main entity.

 Basic Reports
Aggregate Reports
SQL Query Editor
Saved Reports
Custom objects Data visibility profiles – Restricted by country and HCP/HCO filters. Fields not restricted in SQL queries.

Sub-objects are restricted based on the related main entity.

Dynamic access control - Reports can be run but the results are restricted if users do not have access to the custom object.

SQL Query Editor
Saved Reports
Change requests/
Suspect matches

(Data Stewardship tables)

Inbox task groups – Restricted by country and HCP/HCO filters. If a user is assigned to multiple inbox task groups and a DCR can be routed to at least one of them, it will return in report results. However, if an inbox task group is set as the default routing group, its HCP/HCO filters override any filters set for other inbox task groups for that country.
Not available to standard users. 		Basic Reports
Aggregate Reports
SQL Query Editor
Saved Reports

Reference Data

 Data visibility profiles – Restricted by country. Basic Reports
Aggregate Reports
SQL Query Editor
Saved Reports

Job Summary

(Data Loading & Matching)

User type - Job reporting tables are available for Data Managers, System Admins, and System and Data Admin user types only.

Match tables are available in the SQL Query Editor only.

Basic Reports
Aggregate Reports
SQL Query Editor
Saved Reports
Revision History Data visibility profiles – Restricted by country and HCP/HCO filters. Fields not restricted in SQL queries.
User permissions - Users must have the SQL Query Editor permission enabled for their user profile to report on revision history tables. Available by default for Administrators and Data Managers.		 SQL Query Editor
Saved Reports
Lookup Tables User permissions - Users must have the SQL Query Editor permission enabled for their user profile to report on lookup tables. Available by default for Administrators and Data Managers. SQL Query Editor
Saved Reports
Network Widgets Data User permissions - Users must have the SQL Query Editor permission enabled for their user profile to report on Affiliation widget data. Available by default for Administrators and Data Managers. SQL Query Editor
Saved Reports
My Custom Tables

These tables are created by users. They are can be viewed and used by the user that created them.

User permissions - Users must have the SQL Query Editor permission enabled for their user profile.

 SQL Query Editor
Shared Custom Tables

These tables are created by users. They are can be viewed and used by any user that has access to the SQL Query Editor. A table can be deleted by the user that created the table. System Administrators and System and Data Admin users can delete any custom table.

User permissions - Users must have the SQL Query Editor permission enabled for their user profile.

 SQL Query Editor

Saved reports

Saved reports are run with the role and permissions of the report creator; the creator controls who can view or edit the report. If another user edits the report definition, the scheduled report will run with the editor’s permissions from that time onward.

By default, reports are only visible to the creator and to Administrators and System and Data Admin users. Regardless of permissions, all editors and viewers see the same report results if the report ran on a schedule. If the report is manually run, the results will be based on the permissions of the user that ran the report.

By default, users have the following access:

  • Administrators and System and Data Admins - View and edit all saved reports, including system reports, their own reports, and those of all other users.
  • Data Managers - No access to Saved reports until reports are shared with them as a viewer or editor. With view access, they can edit or delete reports.
  • Data Stewards and Standard Users - View or copy reports that are shared with them as a viewer. Edit reports shared with them as an editor.

Report results permission

Administrators can assign a user permission called Report Results so users can run reports without any data restrictions applied.

By default, when you run a report, the results are based on the data that you have permission to access. This means that each report query is rewritten to calculate your data visibility profiles, inbox task groups, and any dynamic access control restrictions for custom objects. This can cause the query to be slow or to timeout. When your data permissions are ignored, the queries and reports will complete faster and fewer timeout errors will occur.

Supported users

Administrators can assign this permission to the following user types:

  • System Administrators

  • System and Data Admins

  • Data Managers

Change the permission to Unrestricted for users that already have access to all data. Report queries are always rewritten to calculate a user's data permissions, so if a user has access to all the data in the Network instance, assigning the Unrestricted permission means that the report runs without being rewritten and will complete much faster.

Data permissions

When you run a report, Network checks the following permission features to know which data you have access to:

  • Data visibility profiles

    • Primary country

    • Object filters (object type, specialty, record owner type, and so on)

  • Dynamic access control

  • Inbox task group filters

Note: Field restrictions will still be applied.

Based on the data that you have access to, Network rewrites the report query to apply these filters. These data permissions can be ignored to avoid query timeouts. The only filter that is applied is the Include only Valid and Under_Review records in results option if you select that before you run the report.

Supported report features

The Report Results permission applies to anywhere in Network that you run a query or report:

  • SQL Query Editor

  • Basic Report Builder

  • Aggregate Report Builder

  • Saved Reports (manually run)

    Note: Scheduled saved reports are run using the data visibility profile of the user who last edited the report. These reports now include the Last Modified by information. Administrators can update the permissions for that user to ignore data restrictions.

  • Data Quality Reports

  • Data Maintenance Subscriptions

Apply the permission

By default, all users are restricted based on their data permissions.

  1. In the Admin console, click Users & Permissions > Users.

  2. Select a user.

  3. In the Additional Permissions, expand the Report Results list and choose Unrestricted - Full access to data.

Logs

Changes to the Report Results permission are tracked in the System Audit Log.

Auditing

All queries and reports are included in Network auditing. Administrators can access the audit logs from the admin console in Logs > Reporting Audit History.