We have a rates portlet and all our super users can see all resources and portlets, so the way we got round it was by checking the logged in user's group membership: if they're not in our admin group then they get nothing back in the portlet. I've attached the whole NSQL if anybody wants it (MS-SQL) - if your matrix columns are different then obviously you will need to tweak this.
SELECT @SELECT:DIM:USER_DEF:IMPLIED:RESOURCE:X.UID:UID@,
@SELECT:DIM_PROP:USER_DEF:IMPLIED:RESOURCE:X.MATRIX:MATRIX@,
@SELECT:DIM_PROP:USER_DEF:IMPLIED:RESOURCE:X.FROMDATE:FROMDATE@,
@SELECT:DIM_PROP:USER_DEF:IMPLIED:RESOURCE:X.TODATE:TODATE@,
@SELECT:DIM_PROP:USER_DEF:IMPLIED:RESOURCE:X.RESOURCE_CODE:RESOURCE_ID@,
@SELECT:DIM_PROP:USER_DEF:IMPLIED:RESOURCE:X.RESOURCE_INT_ID:RESOURCE_INT_ID@,
@SELECT:DIM_PROP:USER_DEF:IMPLIED:RESOURCE:X.RESOURCE:RESOURCE@,
@SELECT:DIM_PROP:USER_DEF:IMPLIED:RESOURCE:X.EMPLOYMENT:EMPLOYMENT@,
@SELECT:DIM_PROP:USER_DEF:IMPLIED:RESOURCE:X.TRANSCLASS:TRANSCLASS@,
@SELECT:DIM_PROP:USER_DEF:IMPLIED:RESOURCE:X.PROJECT_CODE:PROJECT_CODE@,
@SELECT:DIM_PROP:USER_DEF:IMPLIED:RESOURCE:X.LAST_UPDATED_DATE:LUD@,
@SELECT:DIM_PROP:USER_DEF:IMPLIED:RESOURCE:X.LAST_UPDATED_BY:LUB@,
@SELECT:DIM_PROP:USER_DEF:IMPLIED:RESOURCE:X.ROW_URL:MATRIX_URL@,
@SELECT:METRIC:USER_DEF:IMPLIED:X.RATE:RATE@,
@SELECT:METRIC:USER_DEF:IMPLIED:X.STANDARD_COST:STANDARD_COST@,
@SELECT:METRIC:USER_DEF:IMPLIED:X.ACTUAL_COST:ACTUAL_COST@
FROM
(select
val.matrixrowkey as uid
,m.description as matrix
,val.fromdate
,val.todate
,isnull(r.unique_name, '*') resource_code
,r.id as resource_int_id
,isnull(r.full_name,'*') resource
,(select name from cmn_lookups_v where language_code ='en' and lookup_type = 'srm_resource_type' and id = r.person_type) as employment
,isnull(val.value4, pac.transclass) as transclass
,isnull(val.value3, '*') as project_code
,numval1 rate
,numval2 standard_cost
,numval3 actual_cost
,niku.cmn_trunc_date_fct(val.last_updated_date) as last_updated_date
,(select user_name from cmn_sec_users u where u.id = val.last_updated_by) last_updated_by
from
ppa_matrix m inner join ppa_matrixvalues val on m.matrixkey = val.matrixkey
inner join srm_resources r on r.unique_name= val.value2
inner join pac_mnt_resources pac on r.id = pac.id
inner join prj_resources pr on r.id = pr.prid
where
(r.is_active = 1 or year(date_of_termination) = year(getdate()) )
and ((pr.prisopen = @WHERE:PARAM:USER_DEF:INTEGER:OPEN_TE@) or (@WHERE:PARAM:USER_DEF:INTEGER:OPEN_TE@ is null))
and ((r.id = @WHERE:PARAM:USER_DEF:INTEGER:RESOURCE_ID@) or (@WHERE:PARAM:USER_DEF:INTEGER:RESOURCE_ID@ is null))
and ((m.matrixkey = @WHERE:PARAM:USER_DEF:INTEGER:MATRIXKEY@) or (@WHERE:PARAM:USER_DEF:INTEGER:MATRIXKEY@ is null))
and ((isnull(val.value4, pac.transclass) = @WHERE:PARAM:USER_DEF:STRING:TRANSCLASS@) or (@WHERE:PARAM:USER_DEF:STRING:TRANSCLASS@ is null))
and ((r.person_type = @WHERE:PARAM:USER_DEF:INTEGER:EMPLOYMENT@) or (@WHERE:PARAM:USER_DEF:INTEGER:EMPLOYMENT@ is null))
/* Only show most recent matrix row values */
and getdate() between fromdate and todate
/* If current user not in Admin then return nothing */
and case when exists
(select ug.user_id
from cmn_sec_user_groups ug,
cmn_sec_groups g
where g.id = ug.group_id
and g.group_code = 'admin_group'
and ug.user_id = @WHERE:PARAM:USER_ID@)
then 1 else 0 end = 1
/*OBS Filtering */
and exists (select 1 FROM
prj_obs_associations assoc
LEFT OUTER JOIN prj_obs_units_flat flat ON assoc.unit_id = flat.unit_id
AND assoc.table_name = 'SRM_RESOURCES'
WHERE ((r.id = assoc.record_id) AND flat.branch_unit_id = isnull(@where:param:user_def:integer:obs_id@, flat.branch_unit_id) ))
) as X
WHERE
@FILTER@
Owen