Filtering a group

Similar Messages

• Filtering of Grouped data in Advanced DataGrid

  I want to display the Hierarchical Data (groped data) in
  Advance DataGrid and at the same time I want the filtering
  functionality as well. The problem is if I want grouped view then I
  have to provide GroupingCollection to the dataprovider ( that has
  no filterFunction type functionality ).
  Is there any way to solve this issue?

  You have to call adg.validateNow() after assigning the
  GroupingCollection as dataProvider to the AdvancedDataGrid and
  before applying the filterFunction.
  It should be like -
  adg.dataProvider = gc;
  adg.validateNow();
  IHierarchicalCollectionView(adg.dataProvider).filterFunction
  = filterFunc;
  IHierarchicalCollectionView(adg.dataProvider).refresh();
  Note: The filter function will be applied to group rows
  also.

• Need help with data filtering on groups/application roles

  Hello,
  I have a situation where I have to apply security on objects (reports, prompts etc) and dimension members (Essbase cube). So the idea is like this:
  Report 1: access to three users (U1, U2, U3), but for dimension Company they have separate rights:
  U1: Company A, Companies A.1-A.7 (children of A) and Companies A.1.1-A.1.9 (children of A.1);
  U2: Company A.1 and Companies A.1.1-A.1.9;
       U3: Company A.1.1
  same for Report 2, but users must have access to different companyes, like Company B, B1...
  In WebLogic Console I created three groups (G1-G3) and placed each user to a group (U1-> G1, U2 ->G2, U3->G3). Then in WebLogic EM I created three application roles (R1-R3) and added for each, corresponding user (R1-> U1, R2->U2, R3-> U3).
  My approach was to use application roles like this:
  R1: include User1 and filter data on repository by application role to each generation of the cube ("Data_Source_Name"."Dimension_Name"."Generation2,Dimension"='Company A',"Data_Source_Name"."Dimension_Name"."Generation3,Dimension"='Company A.1', "Data_Source_Name"."Dimension_Name"."Generation4,Dimension"='Company A.1.1')
  R2: include User2 and filter data on repository by application role to each generation of the cube ("Data_Source_Name"."Dimension_Name"."Generation3,Dimension"='Company A.1', "Data_Source_Name"."Dimension_Name"."Generation4,Dimension"='Company A.1.1')
  R3: include User3 and filter data on repository by application role to each generation of the cube ("Data_Source_Name"."Dimension_Name"."Generation4,Dimension"='Company A.1.1').
  I've noticed that, by default, each role inherites BIConsumer and "localmachineusers" application roles, so I set in repository these both roles to filter data as the role 3 (the lowest level of acces), in order for my roles (Roles 1 to 3) to have the highest privileges.
  In repository I cannot see any of my users (U1-U3), but just the application roles they are in.
  For Report 1 I set the access to Roles 1-3 and when I am logged on as U3 this report should display only the data for Company A.1.1, but it doesn't (displays data also for Company A, Companies A.1-A.7).
  In fact it seems, that the data isn't filtered at all, which drives me to the conclusion that my data filter is override by another role, maybe ?
  Could you please give me a clue about what I am missing here ?
  Thank you.

  Amith,
  Please bear this with me - see my comments below (search for petresion_Comments):
  So, we have three users who have access to a report called Report1. But the data that they see in the report needs to be different. The report has a dimension company, and each user needs to see different companies data. So the filtering needs to be done on company dimension.
  petresion_Comment: That's my case to solve.
  Now the groups in weblogic has no purpose in OBIEE 11g unless you are using an LDAP authenticator who has groups defined in the active directory. By this I mean the network people are maintaining the users and group relation necessary for OBIEE. So keeping the weblogic groups apart for a minute, lets deal with users and roles only.
  The three users are assigned to three different roles R1, R2 and R3. By default, all the roles inherit the BIconsumer role, and localmachineusers role you mentioned is not an OTB role. This is something that is probably causing the data filtering to fail. Do a test like create a user in weblogic, assign him only to the localmachineusers role, and go to analytics, and check your roles and groups by going under my account. Make sure this role is not inheriting any other roles like BIAdministrator, BIauthor etc. So in conclusion, when one of your users login, they should inherit only their custom Role (R1 for instance), BIConsumer, Authenticated User, and your custom role localmachineusers.
  petresion_Comment: That is what I checked on the first time (few days ago) and is exactly as you say (BIConsumer, localmachinerole and Role1).
  Do not apply any data filters on the BIConsumer role. This is not a good practice because the filters get applied to every single user that logs into the system.
  petresion_Comment: I know that, but appliyng filters on BIConsumer role I tried to make sure that its privileges doesn't overrides any of my Roles (1,2 or 3). I will remove the filter on BIConsumer.
  Now create the data filters on your custom roles (R1, R2, R3). Save the RPD. Deploy the Rpd through Enterprise Manager.
  petresion_Comment: Only difference in my case is that I stopped BI services, applied changes to rpd in Offline mode and then restarted BI services.But also tried as you mentioned (by the book in fact) and same result. The problem is the same, my roles(1,2,3) don't filter the companies at all.
  Once you are done with all the work above, you should login into analytics as user1. After logging in go to my account, roles and groups, and make sure you see the R1 in the list of groups. Now run the report, and your filters should get applied no matter what. If they are still not getting applied, grab the physical sql and see if the filters are existing in the where condition.
  petresion_Comment: Where can I capture the physical SQL (probably an MDX sent to the Essbase cube ?) ?
  One other reason could be, one of the roles that are assigned to the user1 by default, is overriding the filters. Like for example, if a user is assigned to BIAdmin role, and no matter if you assign him to a different role that has 100's of filters, he will still see all of the data.
  petresion_Comment: As I said before, each of my users are members of their roles, BIComsumer and localmachinerole, so no other privileges (no BIAdmin role).
  Thank you for the patience.
  John

• Filters without Groups / Smart Objects

  I want to add a layer of scratches and dust marks that is at the top of the composition without having to create a group or smart object.  I tried creating a black layer with the opacity to 0 then applying a scratches and dusts mark, I also tried a empty smart object with 0 opacity, that didn't work either.  I'm hoping their is a technique to this ?

  then applying a scratches and dusts mark
  Filter > Noise > Dust & Scratches is supposed to help remove such things, not add them, so I’m not sure what exactly you mean.
  A blank Layer (or a white Layer set to Blend Mode Multiply) and painted on in black with appropriate Brush tips with some randomization and Scattering might help.
  Could you post an example of what you are after?

• Filtering Groups on Windows Active Directory using LDAP Authentication

  Hi All,
  I have small module that filters the groups from the Windows AD using LDAP attributes and flushes the data into the DB[code below].
  This module was developed and tested on weblogic 8.1[on windows]and works fine.
  Now the same is moved to another environment- Websphere on Linux Suse. The code fails to retreieve any value from the Windows AD.
  Please note no exception is aslo thrown.
  env.put(Context.INITIAL_CONTEXT_FACTORY,ldapCtxFactory);
            //set security credentials, note using simple cleartext authentication
            env.put(Context.SECURITY_AUTHENTICATION,authentication);
            env.put(Context.SECURITY_PRINCIPAL,adminName);
            env.put(Context.SECURITY_CREDENTIALS,adminPassword);
            //connect to my domain controller
            env.put(Context.PROVIDER_URL, domainController);
            // Create the initial directory context
            try {
                                dirCtx = new InitialDirContext(env);
                 // Create the search controls           
                 SearchControls searchCtls = new SearchControls();
                 //Specify the attributes to return
                 String returnedAtts[]={"member"};
                 searchCtls.setReturningAttributes(returnedAtts);
                 //Specify the search scope
                 searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
                 int totalResults = 0;
                 int iteration=0;
                 // Search for objects using the filter
                 NamingEnumeration results = ctx.search(searchBase, searchFilter, searchCtls);
  In the above code the method exits even before the try block[i could detect this using Sysout's]
  Below is the property file from which the values are read.
  admin=username
  password=password
  #AD search attributes
  searchBase=DC=domainname,DC=domainname
  searchFilter=(&(objectClass=group) (CN=value*))
  #JNDI context attributes
  ldapCtxFactory=com.sun.jndi.ldap.LdapCtxFactory
  authentication=simple
  domainController=ldap://address
  groupPattern=pattern
  Please Assit,
  Thanks in Advance
  Message was edited by:
  radiant
  Message was edited by:
  radiant

  Assuming it is the same Active Directory environment and only your Java platform has changed, the I can only assume that if no exception is thrown, and no data is returned, then the credentials you are using on the new Java platform are being mapped to an anonymous user (perhaps a blank password ?). By default, Windows Server 2003 domains, do not return any results to anonymous users.

• Groups and ESSBASE Filters

  Can anyone tell me we can import the Data level filters for Groups from ESSBASE?
  If so, do we have any documentation on how to perform this?
  Thank you,

  You can't import them but they will be applied to all selections if you use integrated access control between OBIEE and Essbase (i.e. hand over :USER, :PASSWORD in the connection pool rather than generic conneciton credentials).
  Cheers,
  C.

• How to create secutiry filters and users, groups in system 9

  HI,
  Could you please help me how to create security filters and groups, users in system 9. I need it very ugent. i am very much thankful to you.. if you respond immediatly.
  Thanks,
  sudhakar.

  In short here's how I did it in 9.3.1 but there are multiple ways to do it.
  I'm using MSAD external authentication.
  Using EAS right click on database, Edit, Filters. Create your filters.
  Then go to Shared Services.
  Find the MSAD user/group and provision them to the Essbase database that you have your filters on. Access level is "Filter".
  Then go back to EAS and Refresh Security From Shared Services.
  Then go back to Shared Services.
  Navigate to Projects & then your Essbase server. Find your Essbase database and click on it. To the right it'll populate a list of all the users/groups you provisioned to above. Select all of them and click Next.
  Now you should see a drop down at the top showing your filter(s). Click the checkbox(s) next to the users/groups you want to apply that filter to. Click the green checkmark to apply the filter, and repeat for your various filters that you want to apply. Only 1 filter per user/group.
  Then go back to EAS and Refresh Security From Shared Services again.
  Good luck, hope this helps.

• Linking a library to a list - filtering data per selected drop down / check box item

  Good day,
  I am rather new to SharePoint and have run into a dilemma. Is it possible to link a library to a list, then create a parent-child relationship between the the department (list) to document (library)? 
  Example - I have a library that contains 100+ documents, the library is filtered using groups/subgroups. 
  IT
   -> IT TX (30 docs)
   -> IT WI (10 docs)
  Biz Ops 
   -> Biz Ops WI (8 docs)
   -> Biz Ops CA (5 docs)
  In the list I created I have departments as a required field, and a dropdown tool that shows the 5 departments that contain items that need to be grouped together. (Biz Ops, IT, HR, Sales, and Compliance)
  I have linked the library of documents to the form (list), using "Lookup (information already on this site)". All the documents in the library appear in the selection box within the list. However is it possible to first select a department which
  then filters documents only tied to said department? So at the beginning of the list you choose the department you wish to browse the documents, then it filters out all documents not related to that department? 
  My apologies if this is long winded and confusing. Your help is most appreciative. 
  Cheers. 

  Hi,
  According to your post, my understanding is that you wanted to filter the corresponding documents from a Document Library when you selected a department in a List.
  I recommend that you can follow the steps as below to implement it in your environment.
  1. Create a new Web Part Page and add the Document Library and the List web part into it.
  2. Click the List web part, click the current web part’s drop-down arrow, choose Connections, Send Row of Data To, and then choose the Document Library web part.
  3. Click the Document Library web part, choose the “All Items” view from the Selected View, click the current web part’s drop-down arrow, choose Connections, Get Filter Values From,
  and then choose the List web part.
  4. Open the Configure Connection – Webpage Dialog, choose the “Department” column from the Provider Field Name drop-down list and choose the “Group” column from the Consumer Field
  Name drop-down list.
  5. Click Apply, OK button, save the Web Part Page and test it in your environment.
  For more information, you can refer to:
  http://office.microsoft.com/en-us/sharepoint-server-help/connect-data-in-web-parts-HA101785157.aspx
  http://www.dummies.com/how-to/content/connect-web-parts-in-sharepoint-2010.html
  Best Regards,
  Linda Li
  TechNet Community Support

• New group in Shared Services does not come up in projects?

  Hi All,
  I'm working on a system that has externalized security, and we use Hyperion Shared Services to add users to groups and assign filters to groups.
  I have just added a new group in the analkytic server in shared services, I have also provisioned it to have filter access of a particular DB.
  When I go to the projects folder and check the list of groups under the application, to look for this group so I could assign the filter, I dont find the group listed.
  Does anyone know what I am missing out on.
  Thanks in advance.
  Anindyo

  Hi John,
  I tried to delete the group and create a new group again:
  searched for the group, right clicked on it and clicked on Provision.
  Then I expanded the Analytic server tree to the left, selected server Access, and moved it using the arrow button.
  Then I expanded the DB name, there were "Provisioning Manager", "Application Manager" and "My Role".
  I expanded the Tree of "My Role" and found "Calc", "Filter" and "Read".
  I expanded the tree "Filter", and found Start/Stop Application.
  I selected "Filter" (not Start/Stop Application) and moved it to the second list on the right using the Arrow button.
  Then I clicked on the save button.
  Now I expanded the Projects Folder:
  Clicked on the DB to which I provisioned this group.
  It showed the list of users and groups to the right.
  I selected groups in the drop down.
  Clicked on refresh, but the new group does not appear.
  Please let me know if I missed out on anything.
  Thanks for the response,
  Regard,
  Anindyo

• Listing all users in a group

  Hi guys,
  I need to write some code that returns a list of Users that belong to a particular group, using pt 5. This has been asked in lots of different posts but no answer has been given. There must be a way to do this somehow.
  Should I be doing an IPortalSearchRequest and then filtering by group? I can't work out how to do this, or even if it is possible. Or should I be using the IUserGroupManager interface? It does not seem to be documented anywhere.
  I do not want to resort to reading the PlumTree DB but it looks like I may have to. Obviously this defeats the whole point of the API - but considering this changed from 4.5 to 5 maybe this is not a problem!

  Also check these other two posts. If the gateway blows up the links I'm sticking in below, just use the general portal search to look for "QueryUsers"
  http://portal.plumtree.com/portal/server.pt?in_hi_req_objtype=18&in_hi_req_objtype=17&in_hi_req_objtype=1&in_hi_req_objtype=512&in_hi_req_objtype=43&in_hi_userid=281772&in_hi_req_bbs=1&in_hi_req_thesaurus=1&space=SearchResult&in_hi_req_spell=1&parentid=1&cached=false&control=searchstart&in_hi_req_gadsrchtype=bannersearch&in_hi_req_initialsearchstring=QueryUsers&in_hi_req_page=50&in_tx_query=QueryUsers&in_hi_req_lang=en&parentname=SearchResult#
  http://portal.plumtree.com/portal/server.pt?in_hi_req_objtype=18&in_hi_req_objtype=17&in_hi_req_objtype=1&in_hi_req_objtype=512&in_hi_req_objtype=43&in_hi_userid=281772&in_hi_req_bbs=1&in_hi_req_thesaurus=1&space=SearchResult&in_hi_req_spell=1&parentid=1&cached=false&control=searchstart&in_hi_req_gadsrchtype=bannersearch&in_hi_req_initialsearchstring=QueryUsers&in_hi_req_page=50&in_tx_query=QueryUsers&in_hi_req_lang=en&parentname=SearchResult#

• Change page header based on group being printed

  I have a report that is grouping by two fields, field A & B.  When the report is printing group A I would like the page header to be "Group A Header" when the report is printing the groups for field B I would like the page header to be "Group B Header".  I can't seem to find a way to change the header based on which group is being printed.  If I do "If GroupNumber = 1 Then "Group A Header"" it prints "Group A Header for the first group and the first record of the second field group.
  Basically what I am trying to do is create a report that has a chart that is un-grouped followed by charts that are grouped.  I've accomplished this by creating a formula that is always true for the un-grouped chart and adding it as a group.  below that I have a field group for the charts I want filtered by group.   When the un-grouped charts are printed I want the page header to reflect that, when the grouped charts are printed I want the page header to contain the group name.

  Not enough info. Try CR 2008 it has more control over printing.

• DIT Design -- Handling users in overlapping & changing groups/institutions

  Hi Folks-
  [My Apologies if there are duplicates, the forum doesn't show any sign of accepting this]
  I've been working on a DIT Design to solve a set of business requirements which conflicts with most traditional approaches. I've got some (overly) complicated ideas, but I'm wondering if anyone has encountered a similar situation, and if so did you find a good solution.
  Key Requirements:
  (1) We have a collection of users from various institutions and groups within them.
  (2) (THE MAIN WRINKLE) A certain amount of overlap and movement between institutions is expected (group overlap will be common). A user who is in overlapping institutions or moves between them MUST use a single, shared identity and SHOULD maintain a stable identity (i.e. no DN changes).
  (3) Much of the user administration should be decentralized and done at the group level (within each specific institution). An administor of GroupA in Foo Institution should only be able to administer the users in GroupA at Foo, but must be able to control membership within GroupA. Special precautions are permitted to keep a Group-A/Foo administrator from hijacking an arbitrary user by adding the target user to Group-A/Foo.
  (4) The number of institutions is expected to be start around 40-50, and could scale to the thousands. The number of people will probably be around 5-20 times the number of institutions. The design should accomodate that scale.
  Additional Notes:
  (A) I don't see any alternative to keeping any organizational information out of the users' DN's, essentially flattening the users out (I've currently got them all in one container).
  (B) I can obviously setup a hierarchy of roles/groups in institutional containers to handle membership and group administrator lists. All Directory Server administration will be done by a small central team and everything can be in containers under a common root suffix.
  (C) We currently have the necessary skillsets to develop scripts and programs as needed. But 2 different application families (incompatible foundations -- Java vs. Cobol+Perl) are already scheduled for deployment against this (hopefully more will follow). This means it's not very practical to use one "LDAP Superuser" id and rely on the application to enforce security policies. We really want to put as much of the security into the Directory as possible (calling for individual LDAP admins w/ the appropriate rights), but we can supplement it where we need to.
  (D) It looks like I'll have to rely heavily on filters based on the values of particular attributes of each user (whether in ACI's, Filtered Roles, or the like). Unfortunately, I don't see many ways that I can actually build those filters to be dependent on attributes/values of different entries. But I'm still working on that.
  (E) Because of the number of institutions (and probable continous growth), writing a master upper-level ACL which has each institution & group explicitly coded is probably unwise due to size and stability. If I have to I could have a helper program custom-code each user's ACL differently and change it as needed. But that doesn't seem like a good solution.
  Right now the designs I'm tossing around are calling for combinations of (all/most of) Roles (Filtered & Nested), Groups, CoS Template & Password Policies (yeah, we need those too), Macro ACI's, and a small amount of helper scripts and programs. We're running 5.2 but can probably upgrade to 6.0 if I can cite a good enough reason.
  My current design is pretty ugly and complicated but probably attainable. If people are interested enough I'll post a cleansed summary once it's working.
  Has anyone tackled anything like this before, and does anyone see any cleaner approach I've missed?
  Thanks,
  -Scott-

  Hi-
  We're basically putting all the users in one big container making a flat space.
  We then create lots of roles, each of which corresponds to a particular combination of institution, application, and access type/level (the user is implicit as it contains the nsRole). If a user has multiple types of access to an application for a given institution then they will be in multiple corresponding roles.
  We have the roles grouped together in a subtree which is divided by institution (and could be further subdivided by application within each institution or placed in the reverse order). But because of the scoping restrictions on nsRole's only a nsNestedRoleDefinition can be placed at this location (using nsRoleScopeDN), the Managed and Filter "working roles" must be in a branch of the tree above all things which will be contained within them (we put it at the top of that naming suffix).
  According to the docs, queries will ignore a ldapSubEntry (which all of the nsRoleDefinition's are) unless specifically requested, so the fact that there are hundreds or thousands of roles defined at the top shouldn't matter. However, all of the GUI's I've tried displayed all the roles.
  Currently the application code parses the DN of the role names from the user's nsRole entry, NOT the nsRoleDN entry. There end up being a lot of intermediate roles which get ignored. It uses this to determine the access type(s) to be granted. This is really convenient since one query for the user gets everything. However it builds dependencies into the DN format which arguably probably shouldn't be depended on. I've considered defining custom schema attributes which would contain the application/institution/access tuples (which could also be helpful for building nsFilteredRoleDefinition's), but that represents another round of queries and more substantial code changes for the pilot application.
  Once in place, the roles can easily be nested and combined in various ways (such as "roll-up" roles containing all users of an application). They can also be used for password policies, CoS templates, and building ACI's. The last should be very helpful in enabling decentralized administration, but that's going to be pretty dependent on your security policy.
  An issue with decentralized administration and Managed Roles is that normally anyone who can modify a user's nsRoleDN attribute can place any role in there, which isn't desirable in this environment. I haven't moved forward with the ACI work yet, but it appears that the "targattrfilters" ACI keyword may allow this problem to be solved (possibly in conjunction with Macro ACI's). Using some custom attributes with filtered roles might make this easier.
  So, we could have something like this very incomplete LDIF (not checked for errors), only the really important attributes are shown. Also similar entities with the same naming patterns have been omitted.
  dn: cn=appusers,ou=webmail,ou=inst01,ou=institutions,o=naming-suffix
  objectClass: nsNestedRoleDefinition
  nsRoleDN: cn=managed-webmail-inst01-appusers,o=naming-suffix
  nsRoleDN: cn=filtered-webmail-inst01-appusers,o=naming-suffix
  nsRoleScopeDN: o=naming-suffix
  dn: cn=managed-webmail-inst01-appusers,o=naming-suffix
  objectClass: nsManagedRoleDefinition
  dn: cn=filtered-webmail-inst01-appusers,o=naming-suffix
  objectClass: nsFilteredRoleDefinition
  nsRoleFilter: (customAppInstAccess=webmail:inst01:user)
  dn: uid=jsmith,ou=users,o=naming-suffix
  nsRoleDN: cn=managed-webmail-inst01-appusers,o=naming-suffix
  nsRoleDN: cn=managed-webmail-inst01-appadmins,o=naming-suffix
  dn: uid=jappleseed,ou=users,o=naming-suffix
  nsRoleDN: cn=managed-webmail-inst01-appusers,o=naming-suffix
  customAppInstAccess: blogger:inst03:user
  customAppInstAccess: webmail:inst03:userSo jsmith's nsRole attribute would contain the following values (the ones above the blank line are the main entries, the others are intermediate role to be ignored):
  cn=appusers,ou=webmail,ou=inst01,ou=institutions,o=naming-suffix
  cn=appadmins,ou=webmail,ou=inst01,ou=institutions,o=naming-suffix
  cn=managed-webmail-inst01-appusers,o=naming-suffix
  cn=managed-webmail-inst01-appadmins,o=naming-suffixAnd jappleseed's nsRole attribute would contain the following values (the ones above the blank line are the main entries, the others are intermediate role to be ignored):
  cn=appusers,ou=webmail,ou=inst01,ou=institutions,o=naming-suffix
  cn=appusers,ou=blogger,ou=inst03,ou=institutions,o=naming-suffix
  cn=appusers,ou=webmail,ou=inst03,ou=institutions,o=naming-suffix
  cn=managed-webmail-inst01-appusers,o=naming-suffix
  cn=filtered-blogger-inst03-appusers,o=naming-suffix
  cn=filtered-webmail-inst03-appusers,o=naming-suffixIf that doesn't make sense, then you can email me details of what you're trying to do at <[email protected]>, but it may take some time before I can respond.
  -Scott-

• Managing LDAP groups and roles through SUN IDM

  Hi Guys,
  We have a requirement to build the following functionality in our Sun IDM tool.
  1.     Ability to create/manage Static LDAP group.
  2.     Ability to create/manage filtered LDAP group.
  3.     Ability to create/manage Static LDAP roles.
  4.     Ability to create/manage filtered LDAP roles.
  Can anyone let us know any pointers as to how to accomplish this or any ideas for the path to follow for this.
  Any reply will be appreciated.

  http://myidm.blogspot.com/2009/06/how-to-create-groups-in-ldap-or-active.html

• I need to filter my report based in group totals

  Hello
  I'm creating a report for the invoices tables, I need to have the sum of all invoices of the clients by month (only the past three months based in the date of the report). The sum of the invoices is also based in the Item Code.
  I retrive the vouchers to be sumarized with thw following formula:
  IF {INV1.ItemCode} Like "???DS*" AND
  {OINV.DocDate} >= DateValue(Year ({?Fecha}),(Month ({?Fecha}))-3,1) AND
  {OINV.DocDate} < DateValue(Year ({?Fecha}),(Month ({?Fecha}))-2,1)
  Then {INV1.TotalSumSy} Else 0
  Then I group the information By CardCode and sum the vouchers by total fields in crystal.
  But (here comes the problem)
  I want only view in my report only the clients with the sum of the invoices for each month is equal to 0
  Someone could help me telling me some way to do this type of filter
  Thanks in advance for your help

  Hi,
  Do you also have a group for Month?
  Try filtering the groups with a Group Selection Formula (Report > Selection Formulas > Group). Something like this:
  Sum(, {Card Code}) = 0
  Hope this helps!
  -Abhilash

• How to make Group clip it's content ?

  Currently I've done this by using the clipAndEnableScrolling="true" property and my case scenario is simple:
  <s:Group width="100%" height="100%" clipAndEnableScrolling="true">
       <s:Group id="bgOver" width="100%" height="100%">
          <s:Group y="-4" height="{bgOver.height+4}">
            <s:Rect width="100%" height="100%">
               <s:fill>
                   <s:SolidColor color="0x000000" />
               </s:fill>
           </s:Rect>
          </s:Group>
          <s:filters>
              <s:GlowFilter blurX="4" blurY="4" color="0xbcc2ca" alpha="0.70" inner="true" knockout="true" />
          </s:filters>
      </s:Group>
  </s:Group>
  When you have an inner Glow but you want to have it on left right and bottom but not top for example case like tab bar above, what I do is increase the height of the background by the blurX/Y value and move it y = - blurX/Y value. So it gets outside of the container and gets cut off.
  It's not cut off till I set clipAndEnableScrolling="true", although I don't want to scroll anything, I just want to clip. I could also mask for example...
  That's why I am asking what's the right way to clip? Anyone?

  thanks!