<html>
<head>
<base href="https://docs.jboss.org/author">
<link rel="stylesheet" href="/author/s/en/2172/19/5/_/styles/combined.css?spaceKey=TEIID&forWysiwyg=true" type="text/css">
</head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
<h2><a href="https://docs.jboss.org/author/display/TEIID/Permissions">Permissions</a></h2>
<h4>Page <b>edited</b> by <a href="https://docs.jboss.org/author/display/~shawkins">Steven Hawkins</a>
</h4>
<div id="versionComment">
<b>Comment:</b>
updating limitations<br />
</div>
<br/>
<h4>Changes (1)</h4>
<div id="page-diffs">
<table class="diff" cellpadding="0" cellspacing="0">
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" > <br>A typical approach to adding condition permissions would be in an any authenticated role such that the conditions are generalized for all users/roles using the hasRole, user, and other such functions. <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;"> <br>Conditions are enforced even for materialized view loads. You should ensure that tables consumed to produce materialized views do not have conditions on them that could affect the materialized view results. <br> <br>Conditions on source tables that act as check constraints must currently not contain subqueries. <br></td></tr>
</table>
</div> <h4>Full Content</h4>
<div class="notificationGreySide">
<h1><a name="Permissions-UserQueryPermissions"></a>User Query Permissions</h1>
<p>CREATE, READ, UPDATE, DELETE (CRUD) permissions can be set for any resource path in a VDB. A resource path can be as specific as the fully qualified name of a column or as general a top level model (schema) name. Permissions granted to a particular path apply to it and any resource paths that share the same partial name. For example, granting read to "model" will also grant read to "model.table", "model.table.column", etc. Allowing or denying a particular action is determined by searching for permissions from the most to least specific resource paths. The first permission found with a specific allow or deny will be used. Thus it is possible to set very general permissions at high-level resource path names and to override only as necessary at more specific resource paths.</p>
<p>Permission grants are only needed for resources that a role needs access to. Permissions are also only applied to the columns/tables/procedures in the user query - not to every resource accessed transitively through view and procedure definitions. It is important therefore to ensure that permission grants are applied consistently across models that access the same resources.</p>
<div class='panelMacro'><table class='warningMacro'><colgroup><col width='24'><col></colgroup><tr><td valign='top'><img src="/author/images/icons/emoticons/forbidden.gif" width="16" height="16" align="absmiddle" alt="" border="0"></td><td>Unlike previous versions of Teiid, non-visible models are accessible by user queries. To restrict user access at a model level, at least one data role should be created to enable data role checking. In turn that role can be mapped to any authenticated user and should not grant permissions to models that should be inaccessable.</td></tr></table></div>
<p>Permissions are not applicable to the SYS and pg_catalog schemas. These metadata reporting schemas are always accessible regardless of the user. The SYSADMIN schema however may need permissions as applicable.</p>
<p>To process a <em>SELECT</em> statement or a stored procedure execution, the user account requires the following access rights:</p>
<ul>
<li><em>READ</em>- on the Table(s) being accessed or the procedure being called.</li>
<li><em>READ</em>- on every column referenced.</li>
</ul>
<p>To process an <em>INSERT</em> statement, the user account requires the following access rights:</p>
<ul>
<li><em>CREATE</em>- on the Table being inserted into.</li>
<li><em>CREATE</em>- on every column being inserted on that Table.</li>
</ul>
<p>To process an <em>UPDATE</em> statement, the user account requires the following access rights:</p>
<ul>
<li><em>UPDATE</em>- on the Table being updated.</li>
<li><em>UPDATE</em>- on every column being updated on that Table.</li>
<li><em>READ</em>- on every column referenced in the criteria.</li>
</ul>
<p>To process a <em>DELETE</em> statement, the user account requires the following access rights:</p>
<ul>
<li><em>DELETE</em>- on the Table being deleted.</li>
<li><em>READ</em>- on every column referenced in the criteria.</li>
</ul>
<p>To process a <em>EXEC/CALL</em> statement, the user account requires the following access rights:</p>
<ul>
<li><em>EXECUTE (or READ)</em>- on the Procedure being executed.</li>
</ul>
<p>To process any function, the user account requires the following access rights:</p>
<ul>
<li><em>EXECUTE (or READ)</em>- on the Function being called.</li>
</ul>
<p>To process any ALTER or CREATE TRIGGER statement, the user account requires the following access rights:</p>
<ul>
<li><em>ALTER</em>- on the view or procedure that is effected. INSTEAD OF Triggers (update procedures) are not yet treated as full schema objects and are instead treated as attributes of the view.</li>
</ul>
<p>To process any OBJECTTABLE function, the user account requires the following access rights:</p>
<ul>
<li><em>LANGUAGE</em> - specifying the language name that is allowed.</li>
</ul>
<p>To process any statement against a Teiid temporary table requires the following access rights:</p>
<ul>
<li>allow-create-temporary-tables attribute on any applicable role</li>
<li><em>CREATE</em>- against the target source/schema if defining a FOREIGN temporary table.</li>
</ul>
<h1><a name="Permissions-RowbasedSecurityConditions"></a>Row-based Security Conditions</h1>
<p>A permission against a fully qualified table/view/procedure may also specify a condition. Unlike the allow actions defined above, a condition is always applied - not just at the user query level. The condition can be any valid SQL referencing the columns of the table/view/procedure. The condition will act as a row-based filter and as a checked constraint for insert/update operations.</p>
<h3><a name="Permissions-HowConditionsAreApplied"></a>How Conditions Are Applied</h3>
<p>A condition is applied conjunctively to update/delete/select where clauses against the affected resource. Those queries will therefore only ever be effective against the subset of rows that pass the condition, i.e. "SELECT * FROM TBL WHERE blah <b>AND condition</b>". The condition will be present regardless of how the table/view is used in the query, whether via a union, join, etc.</p>
<p>Inserts and updates against physical tables affected by a condition are further validated so that the insert/change values must pass the condition (evaluate to true) for the insert/update to succeed - this is effectively the same a SQL constraint. This will happen for all styles of insert/update - insert with query expression, bulk insert/update, etc. Inserts/updates against views are not checked with regards to the constraint.</p>
<p>Within the same role or across multiple applicable roles if more than one condition applies to the same resource, the conditions will be accumulated disjunctively via OR, i.e. "(condition1) <b>OR</b> (condition2) ..."</p>
<h3><a name="Permissions-ConsiderationsWhenUsingConditions"></a>Considerations When Using Conditions</h3>
<p>Non-pushdown conditions may adversely impact performance, since their evaluation may inhibit pushdown of query constructs on top of the affected resource. Multiple conditions against the same resource should generally be avoided as any non-pushdown condition will cause the entire OR of conditions to not be pushed down.</p>
<p>Pushdown of multi-row insert/update operations will be inhibited since the condition must be checked for each row.</p>
<p>A typical approach to adding condition permissions would be in an any authenticated role such that the conditions are generalized for all users/roles using the hasRole, user, and other such functions.</p>
<p>Conditions are enforced even for materialized view loads. You should ensure that tables consumed to produce materialized views do not have conditions on them that could affect the materialized view results.</p>
<p>Conditions on source tables that act as check constraints must currently not contain subqueries.</p>
</div>
<div id="commentsSection" class="wiki-content pageSection">
<div style="float: right;" class="grey">
<a href="https://docs.jboss.org/author/users/removespacenotification.action?spaceKey=TEIID">Stop watching space</a>
<span style="padding: 0px 5px;">|</span>
<a href="https://docs.jboss.org/author/users/editmyemailsettings.action">Change email notification preferences</a>
</div>
<a href="https://docs.jboss.org/author/display/TEIID/Permissions">View Online</a>
|
<a href="https://docs.jboss.org/author/pages/diffpagesbyversion.action?pageId=18646276&revisedVersion=9&originalVersion=8">View Changes</a>
|
<a href="https://docs.jboss.org/author/display/TEIID/Permissions?showComments=true&showCommentArea=true#addcomment">Add Comment</a>
</div>
</div>
</div>
</div>
</div>
</body>
</html>