a5Helper_SQL_ApplySecurity Function


c SQLStatement = a5Helper_SQL_ApplySecurity(sql as c , securityDef as c , loggedInGroups as c)



The SQL Statement to which security will be applied.


A JSON object that defines the security settings and show/hide expression for selected columns in the SQL statement. Has the following properties:


The column in the SQL statement. This must match the parsed SQL representation for the column. See example below.


A comma delimited list of the security groups authorized to see this column.


A logical expression that evaluates to true or false. Typically the expression will reference session variables.


The security groups for the current user.


Applies security to a SQL SELECT statement. Only applies if the SQL statement can be parsed.


Applies security and server-side show/hide expressions to a SQL SELECT statement. Columns that the current user is not authorized to access will be removed from the SQL SELECT statement.

The SQL statement passed to this function must be parsable. If Alpha Anywhere cannot parse the statement (e.g. the SQL is a call to a stored procedure), the function returns the original SQL statement.

If a column does not have a security setting or server-side show/hide expression, it will be included in the SQL statement.

If a column has a defined security setting, the column will only be included in the SQL statement if the logged in user is a member of one of the security groups specified by the column's security settings.

If a column as a show/hide expression, the column will only be included in the SQL statement if the expression evaluates to a true result.

The column specify in the securityDef must match exactly how the SQL parser represents the column. For example, consider the following column expression

concatenate(customers.name , ', ', customers.contacttitle)

The meaning of this expression is unchanged if the expression is written as:

concatenate(     customers.name     , ', ',     customers.contacttitle   )

However, this is not how the expression is represented in the SQL parser. To get the correct representation of the expression, you can use the code below:

dim si as sql::Query::SelectItem
sql2 = "concatenate(   customers.name   , ', ',   customers.contacttitle)"
= .T.

= "concatenate(customers.name, ', ', customers.contacttitle)"


sql = <<%str%
SELECT customers.CustomerID as cid, customers.CompanyName as compName, customers.ContactName, customers.ContactTitle, concatenate(customers.name,', ',customers.contacttitle) as exp1, orders.OrderID, orders.CustomerID AS CustomerID1, orders.EmployeeID, orders.OrderDate, orders.RequiredDate 
FROM customers customers
 INNER JOIN orders orders
 ON customers.CustomerID = orders.CustomerID
'define the
dim ss[0] as p
i = ss.append()
ss[i].column = "customers.ContactTitle"
ss[i].security = ""
ss[i].showHide = "session.var1 = \"alpha\""
i = ss.append()
ss[i].column = "concatenate(customers.name, ', ', customers.contacttitle)"
ss[i].security = "Sales,Marketing"
ss[i].showhide = ""
i = ss.append()
ss[i].column = "customers.CompanyName"
ss[i].security = "Administrator"
ss[i].showhide = ""
dim security as c
'Generate a JSON string
security = json_generate(ss)
dim loggedInGroups as c
loggedInGroups = Context.Security.GetUserRoles()

sql2 = a5Helper_SQL_ApplySecurity(sql,security,loggedInGroups)

See Also