7:23 a.m.
Looking at vdb-deployer.xsd and the "data-policy" element....
I'm not sure how we inject table/column-specific permissions from Designer?
The "permission" complex type contains CRUD values for a
"resource-name" element. Is this element supposed to be used for a named object
within a model like the table: PartsOracle.PARTS.SUPPLIER?
I created a sample xml fragment below. Can you comment?
<data-policy name="HR Model Data Policy">
<description>Access to HR department to create, read, update and delete personnel
records.</description>
<permission>
<resource-name> HROracleAllView </resource-name>
<allow-create>TRUE</allow-create>
<allow-read>TRUE</allow-read>
<allow-update>TRUE</allow-update>
<allow-delete>TRUE</allow-delete>
</permission>
<permission>
<resource-name> HROracleAllView.Management.Payrol l </resource-name>
<allow-create>FALSE</allow-create>
<allow-read>TRUE</allow-read>
<allow-update>FALSE</allow-update>
<allow-delete>FALSE</allow-delete>
</permission>
<permission>
<resource-name> HROracleAllView.Salary.Payroll </resource-name>
<allow-create>TRUE</allow-create>
<allow-read>TRUE</allow-read>
<allow-update>TRUE</allow-update>
<allow-delete>TRUE</allow-delete>
</permission>
<mapped-role-name>Full Personnel Records</mapped-role-name>
</data-policy>
<xs:element name="data-policy" minOccurs="0"
maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="description" type="xs:string"
minOccurs="0"/>
<xs:element name="permission" minOccurs="1"
maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="resource-name" type="xs:string"/>
<xs:element name="allow-create" type="xs:boolean"
minOccurs="0"/>
<xs:element name="allow-read" type="xs:boolean"
minOccurs="0"/>
<xs:element name="allow-update" type="xs:boolean"
minOccurs="0"/>
<xs:element name="allow-delete" type="xs:boolean"
minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="mapped-role-name" type="xs:string"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="name" type="xs:string"
use="required"/>
</xs:complexType>
</xs:element>
Barry
8:39 a.m.
Yes. "resource-name" should contain the full name of the table.
Ramesh..
On Mon, 2010-07-19 at 08:23 -0400, Barry Lafond wrote:
Looking at vdb-deployer.xsd and the "data-policy"
element....
I'm not sure how we inject table/column-specific permissions from
Designer?
The "permission" complex type contains CRUD values for a
"resource-name" element. Is this element supposed to be used for a
named object within a model like the table:
PartsOracle.PARTS.SUPPLIER?
I created a sample xml fragment below. Can you comment?
<data-policy name="HR Model Data Policy">
<description>Access to HR department to create, read, update and
delete personnel records.</description>
<permission>
<resource-name>HROracleAllView</resource-name>
<allow-create>TRUE</allow-create>
<allow-read>TRUE</allow-read>
<allow-update>TRUE</allow-update>
<allow-delete>TRUE</allow-delete>
</permission>
<permission>
<resource-name>HROracleAllView.Management.Payroll</resource-name>
<allow-create>FALSE</allow-create>
<allow-read>TRUE</allow-read>
<allow-update>FALSE</allow-update>
<allow-delete>FALSE</allow-delete>
</permission>
<permission>
<resource-name>HROracleAllView.Salary.Payroll</resource-name>
<allow-create>TRUE</allow-create>
<allow-read>TRUE</allow-read>
<allow-update>TRUE</allow-update>
<allow-delete>TRUE</allow-delete>
</permission>
<mapped-role-name>Full Personnel Records</mapped-role-name>
</data-policy>
<xs:element name="data-policy" minOccurs="0"
maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="description" type="xs:string"
minOccurs="0"/>
<xs:element name="permission" minOccurs="1"
maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="resource-name"
type="xs:string"/>
<xs:element name="allow-create"
type="xs:boolean" minOccurs="0"/>
<xs:element name="allow-read"
type="xs:boolean" minOccurs="0"/>
<xs:element name="allow-update"
type="xs:boolean" minOccurs="0"/>
<xs:element name="allow-delete"
type="xs:boolean" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="mapped-role-name" type="xs:string"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="name" type="xs:string"
use="required"/>
</xs:complexType>
</xs:element>
Barry
_______________________________________________
teiid-dev mailing list
teiid-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/teiid-dev
9:14 a.m.
On Jul 19, 2010, at 7:23 AM, Barry Lafond wrote:
<permission>
<resource-name>HROracleAllView.Management.Payroll</resource-name>
<allow-create>FALSE</allow-create>
<allow-read>TRUE</allow-read>
<allow-update>FALSE</allow-update>
<allow-delete>FALSE</allow-delete>
</permission>
<xs:element name="permission" minOccurs="1"
maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="resource-name"
type="xs:string"/>
<xs:element name="allow-create"
type="xs:boolean" minOccurs="0"/>
<xs:element name="allow-read"
type="xs:boolean" minOccurs="0"/>
<xs:element name="allow-update"
type="xs:boolean" minOccurs="0"/>
<xs:element name="allow-delete"
type="xs:boolean" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
One minor thing I'd point out: Since these are Boolean values (and the schema has
already defined them as optional), the schema should also provide a default value for each
of the "allow" elements, and the vdb.xml should therefore not include entries
that match the default.
JPAV
8:52 a.m.
On Mon, 2010-07-19 at 09:14 -0500, John Verhaeg wrote:
One minor thing I'd point out: Since these are Boolean values
(and the
schema has already defined them as optional), the schema should also
provide a default value for each of the "allow" elements, and the
vdb.xml should therefore not include entries that match the default.
Agree.
All the "allow" elements have default value of "false". The security
model is to deny everything, if you need access you need to explicitly
turn it ON. Per JPAV comments providing a element like
<allow-delete>false</allow-delete>
is useless, and makes the "vdb.xml" file larger. If possible we should
avoid writing those types of elements. However it is necessary to write
these sometimes. For example, if user gave all access at table level and
want to turn off one explicit column, then you need to specify the
element with "false" to turn it off.
Ramesh..
10 a.m.
On Jul 19, 2010, at 8:52 AM, Ramesh Reddy wrote:
On Mon, 2010-07-19 at 09:14 -0500, John Verhaeg wrote:
However it is necessary to write
these sometimes. For example, if user gave all access at table level and
want to turn off one explicit column, then you need to specify the
element with "false" to turn it off.
Ah, that changes things a bit. Since the default value is context sensitive, that means
the schema should not be changed.
JPAV
5269
days inactive
5269
days old
4 comments
3 participants
participants (3)
-
Barry Lafond -
John Verhaeg -
Ramesh Reddy