This document goes step by step through implementing security rules at the app object level:
I know that sheets and charts are "app objects". I don't know if master measures will be considered app objects or not. Even if the master measure is considered an app object and you can use this method for restricting access, the field would still be in the data model and the user could hypothetically write a measure on that field themselves. I'm not sure how to restrict access to entire fields (column level security) or if security rules can accomplish this.
I have got some sensitive data, like Margins, Consolidated currency and etc. I am using them in KPI's only, and not in real charts, I am currently reading all the docs based on security rules and trying to get to know the logic behind them better .
And Yes, I have saved those measures as Master Items(Measures)
Hello guys, this post is for future people who come here !
IF you are reading this, You must have a basic knowledge on Custom Properties, and how to apply them to map users with apps and streams.
After I made Custom properties for my groups of users, and then I applied this properties to the corresponding Streams and Apps, I had to write security rules .
1. Disable default stream rule
2. Write rule that specifies Streams with the custom property of the groups
3. Write rule for App Access with the corresponding groups ( ex. Group1 can see Group1, Group2 can see Group2 etc.)
4. AND last, but not least you must specify rule for App object .
this is my rule
((user.@AppLevelManagement="Sales") and (resource.objectType!="measure" or resource.name="SalesSum" or resource.name="RegionsCount"))
BASICALLY this rule says, that IF a user is part of the AppLevelManagement - Sales, he CAN'T see resource.objectType!="measures", and after that we specify which measures, this users can see, in our example the users which are part of the Sales group, can see the measures - "SalesSum" and "RegionsCount".
PS: The measures have to be saved like Master Measures.
PS2: I am using this rule as part of my section access to restrict which users can see which measures.
PS3: If you have questions comment here and I will try to help you
Thanks to S Khan
why are you saying that you cannot restrict it via section access? Do all users need access to all fields that are used in calculating your measure? If not, just restrict access to at least one underlying field, and the measure will be calculated as <null> for unauthorized users.