<html>
<head>
<base href="https://docs.jboss.org/author">
<link rel="stylesheet" href="/author/s/en/2172/19/5/_/styles/combined.css?spaceKey=TEIID&forWysiwyg=true" type="text/css">
</head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
<h2><a href="https://docs.jboss.org/author/display/TEIID/XML+Definition">XML Definition</a></h2>
<h4>Page <b>edited</b> by <a href="https://docs.jboss.org/author/display/~shawkins">Steven Hawkins</a>
</h4>
<br/>
<h4>Changes (2)</h4>
<div id="page-diffs">
<table class="diff" cellpadding="0" cellspacing="0">
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" >*Language Access* <br> <br></td></tr>
<tr><td class="diff-changed-lines" >The following shows <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">the</span> <span class="diff-added-words"style="background-color: #dfd;">a</span> vdb xml that allows the use of the javascript language. The allowed-languages property enables the languages use for any purpose in the vdb, while the allow-language permission allows the language to be used by users with RoleA. <br></td></tr>
<tr><td class="diff-unchanged" > <br>{code:XML|title=vdb.xml allowing JavaScript access}<?xml version="1.0" encoding="UTF-8"?> <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" ></vdb> <br>{code} <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;"> <br>*Conditional Access* <br> <br>The following shows a vdb xml utilizing a condition to restrict access. The condition acts as both a filter and constraint. Even though RoleA opens up read/insert access to modelName.tblName, the base-role condition will ensure that only values of column1 matching the current user can be read or inserted. <br> <br>{code:XML|title=vdb.xml allowing JavaScript access}<?xml version="1.0" encoding="UTF-8"?> <br><vdb name="sample" version="1"> <br> <br> <property name="allowed-languages" value="javascript"/> <br> <br> <model name="modelName"> <br> <source name="source-name" translator-name="oracle" connection-jndi-name="java:myDS" /> <br> </model> <br> <br> <data-role name="base-role" any-authenticated="true"> <br> <description>Conditional access</description> <br> <br> <permission> <br> <resource-name>modelName.tblName</resource-name> <br> <condition>column1=user()</condition> <br> </permission> <br> <br> </data-role> <br> <br> <data-role name="RoleA"> <br> <description>Read/Insert access.</description> <br> <br> <permission> <br> <resource-name>modelName.tblName</resource-name> <br> <allow-read>true</allow-read> <br> <allow-create>true</allow-create> <br> </permission> <br> <br> <mapped-role-name>role1</mapped-role-name> <br> <br> </data-role> <br> <br></vdb> <br>{code} <br></td></tr>
</table>
</div> <h4>Full Content</h4>
<div class="notificationGreySide">
<p>Data roles are defined inside the <tt>vdb.xml</tt> file (inside the .vdb Zip archive under META-INF/vdb.xml) if you used Designer. The "vdb.xml" file is checked against the schema file <tt>vdb-deployer.xsd</tt>, which can be found in the kit under docs/teiid/schema. This example will show a sample "vdb.xml" file with few simple data roles.</p>
<p>For example, if a VDB defines a table "TableA" in schema "modelName" with columns (column1, column2) - note that the column types do not matter. And we wish to define three roles "RoleA", "RoleB", "RoleC" with following permissions:</p>
<ol>
<li>RoleA has permissions to read, write access to TableA, but can not delete.</li>
<li>RoleB has no permissions that allow access to TableA</li>
<li>RoleC has permissions that only allow read access to TableA.column1</li>
</ol>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>vdb.xml defining RoleA, RoleB, and RoleC</b></div><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: xml; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;"><?xml version="1.0" encoding="UTF-8"?>
<vdb name="sample" version="1">
<model name="modelName">
<source name="source-name" translator-name="oracle" connection-jndi-name="java:myDS" />
</model>
<data-role name="RoleA">
<description>Allow all, except Delete</description>
<permission>
<resource-name>modelName.TableA</resource-name>
<allow-create>true</allow-create>
<allow-read>true</allow-read>
<allow-update>true</allow-update>
</permission>
<mapped-role-name>role1</mapped-role-name>
</data-role>
<data-role name="RoleC">
<description>Allow read only</description>
<permission>
<resource-name>modelName.TableA</resource-name>
<allow-read>true</allow-read>
</permission>
<permission>
<resource-name>modelName.TableA.colum2</resource-name>
<allow-read>false</allow-read>
</permission>
<mapped-role-name>role2</mapped-role-name>
</data-role>
</vdb>
</pre>
</div></div>
<p>The above XML defined two data roles, "RoleA" which allows everything except delete on the table, "RoleC" that allows only read operation on the table. Since Teiid uses deny by default, there is no explicit data-role entry needed for "RoleB". Note that explicit column permissions are not needed for RoleA, since the parent resource path, modelName.TableA, permissions still apply. RoleC however must explicitly disallow read to column2.</p>
<p>The "mapped-role-name" defines the container JAAS roles that are assigned the data role. For assigning roles to your users in the JBoss AS, check out the instructions for the selected Login Module. Check the "Admin Guide" for configuring Login Modules.</p>
<p><b>Additional Role Attributes</b></p>
<p>You may also choose to allow any authenticated user to have a data role by setting the any-authenticated attribute value to true on data-role element.</p>
<p>The "allow-create-temporary-tables" data-role boolean attribute is used to explicitly enable or disable temporary table usage for the role. If it is left unspecified, then the value will be defaulted to false.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>Temp Table Role for Any Authenticated</b></div><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: xml; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
<data-role name="role" any-authenticated="true" allow-create-temporary-tables="true">
<description>Temp Table Role for Any Authenticated</description>
<permission>
...
</permission>
</data-role>
</pre>
</div></div>
<p><b>Language Access</b></p>
<p>The following shows a vdb xml that allows the use of the javascript language. The allowed-languages property enables the languages use for any purpose in the vdb, while the allow-language permission allows the language to be used by users with RoleA.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>vdb.xml allowing JavaScript access</b></div><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: xml; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;"><?xml version="1.0" encoding="UTF-8"?>
<vdb name="sample" version="1">
<property name="allowed-languages" value="javascript"/>
<model name="modelName">
<source name="source-name" translator-name="oracle" connection-jndi-name="java:myDS" />
</model>
<data-role name="RoleA">
<description>Read and javascript access.</description>
<permission>
<resource-name>modelName</resource-name>
<allow-read>true</allow-read>
</permission>
<permission>
<resource-name>javascript</resource-name>
<allow-language>true</allow-language>
</permission>
<mapped-role-name>role1</mapped-role-name>
</data-role>
</vdb>
</pre>
</div></div>
<p><b>Conditional Access</b></p>
<p>The following shows a vdb xml utilizing a condition to restrict access. The condition acts as both a filter and constraint. Even though RoleA opens up read/insert access to modelName.tblName, the base-role condition will ensure that only values of column1 matching the current user can be read or inserted.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>vdb.xml allowing JavaScript access</b></div><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: xml; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;"><?xml version="1.0" encoding="UTF-8"?>
<vdb name="sample" version="1">
<property name="allowed-languages" value="javascript"/>
<model name="modelName">
<source name="source-name" translator-name="oracle" connection-jndi-name="java:myDS" />
</model>
<data-role name="base-role" any-authenticated="true">
<description>Conditional access</description>
<permission>
<resource-name>modelName.tblName</resource-name>
<condition>column1=user()</condition>
</permission>
</data-role>
<data-role name="RoleA">
<description>Read/Insert access.</description>
<permission>
<resource-name>modelName.tblName</resource-name>
<allow-read>true</allow-read>
<allow-create>true</allow-create>
</permission>
<mapped-role-name>role1</mapped-role-name>
</data-role>
</vdb>
</pre>
</div></div>
</div>
<div id="commentsSection" class="wiki-content pageSection">
<div style="float: right;" class="grey">
<a href="https://docs.jboss.org/author/users/removespacenotification.action?spaceKey=TEIID">Stop watching space</a>
<span style="padding: 0px 5px;">|</span>
<a href="https://docs.jboss.org/author/users/editmyemailsettings.action">Change email notification preferences</a>
</div>
<a href="https://docs.jboss.org/author/display/TEIID/XML+Definition">View Online</a>
|
<a href="https://docs.jboss.org/author/pages/diffpagesbyversion.action?pageId=18646278&revisedVersion=6&originalVersion=5">View Changes</a>
|
<a href="https://docs.jboss.org/author/display/TEIID/XML+Definition?showComments=true&showCommentArea=true#addcomment">Add Comment</a>
</div>
</div>
</div>
</div>
</div>
</body>
</html>