There are 2 problems with this logic:

* will only apply values that are existing in the section access table.
For the above example, if there's also a value for country like "DE" and no user is given the section access for "DE", then * will not include "DE".

A solution for this could be to load all distinct values to a dummy user, fine.

But the main problem with the following

ACCESS, USERID, REGION, COUNTRY, BRANCH, PRODUCT
ADMIN, DOMAIN\USER1, EU, *, *, IMPORT
ADMIN, DOMAIN\USER1, EU, HU, BUD, EXPORT

is that Section Access will take combine everything with an AND relation. Therefore the user will not only see "EXPORT" (product) for "BUD" (branch), but they'll see "EXPORT" for all EU countries.

@marcus_sommer 

I think the efforts to create all necessary combinations is usually overrated because often they could be rather simply created with loop- and/or join-approaches - which might be used very dedicated or maybe in a cartesian logic, like:

t: load distinct User from Users; join(t) load distinct Country from Countries;

and then mappings (might be created in similar ways) are used to apply the relevant values and afterwards may come some filter to remove the non-matching.

I'll have to give myself some time to interpret this, because currently it's not getting together in my mind.

Related to loading all distinct values to "counter" the wildcard problem, thank you, that's been my idea as well, I'm / I was just looking to see if there's something sophisticated in 2025.

I think it's a quite common behaviour of an authorization - only listed values get an access + any denying will overwrite all permissions + all conditions are always associated per AND (never enabling any kind of OR logic).

In my earlier days I regarded it as a weakness but nowadays I like this simplified approach because it avoids mistakes within more complex logic - already during the development and later by maintaining it and/or by changes within the data-set.

This doesn't mean that no OR logic could be used to define the wanted accesses else that they then need to be resolved to an appropriate AND records. Like above hinted this mustn't be done manually else could be created within the script with native transformation-processes.

Beside this you are intending to use multiple fields for the authorization which will probably reside in different tables. AFAIK it's possible to build such logic. But it will have it's costs - with a higher complexity and/or the lost of using the wildcard-feature. Personally I would try to reduce it by concatenating the fields, maybe like:

F1 & '|' & F2 as AccessKey

and also reducing the number of the associated tables or implementing it against the fact-table.

Meant was that all existing field-values are already known before a section access implementation should happens because everything were already loaded within previous layers and could be there quite easily extracted and stored.

Thinking it further it may also be useful to add an own authorization layer between the generator- and data-model layers which which creates n versions of authorizations which are later just picked.