[teiid-issues] [JBoss JIRA] (TEIID-2311) Add simple row based security to data roles

Steven Hawkins (JIRA) jira-events at lists.jboss.org
Mon Dec 3 14:36:21 EST 2012 

     [ https://issues.jboss.org/browse/TEIID-2311?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Steven Hawkins updated TEIID-2311:
----------------------------------

    Fix Version/s: 8.3

    
> Add simple row based security to data roles
> -------------------------------------------
>
>                 Key: TEIID-2311
>                 URL: https://issues.jboss.org/browse/TEIID-2311
>             Project: Teiid
>          Issue Type: Feature Request
>          Components: Query Engine
>    Affects Versions: 8.2
>            Reporter: Steven Hawkins
>            Assignee: Steven Hawkins
>             Fix For: 8.3
>
>
> A common request is to implement row based security.  The common workaround of modifying transformations is generally not a good solution.
> We should look at adding support for simple table filters and column masks.
> To be effective, filtering permissions however would have to act differently than normal data roles.  They would need to be applied all the time - and not just against the end user queries.
> For example, for tables:
>  <permission>
>    <resource-name>SCHEMA.TABLE</resource-name>
>    <filter>COLUMNA=2</filter>
>  </permission> 
> Meaning allow the CRUD of the given row only if COLUMNA has the value of 2.  Any valid predicate against just the referenced table would be allowed as a filter.  Each such permission would be applied as an additional predicate any time the table is referenced (in views, inserts, updates, deletes, etc.).  
> Allows would not be specified here as we want the filter to always specify inclusion.  Any applicable permissions in additional roles would be applied disjunctively - filter OR filter.  
> We could possibly support column masks via case expressions, such as:
>  <permission>
>    <resource-name>SCHEMA.TABLE.COLUMN</resource-name>
>    <mask>CASE WHEN ...</mask>
>  </permission> 
> However this is slightly more complicated.  Presumably the mask would only apply to projection and makes more sense to be applied at the final output/user query (more like a data role).  
> If we work the issue to specify the object type of a permission, then the name could alternatively refer to datatype or even an extension property to make the masking a little easier.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the teiid-issues mailing list