[teiid-issues] [JBoss JIRA] (TEIID-2311) Add simple row based security to data roles

Ramesh Reddy (JIRA) jira-events at lists.jboss.org
Fri Jul 26 07:49:26 EDT 2013


    [ https://issues.jboss.org/browse/TEIID-2311?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12793165#comment-12793165 ] 

Ramesh Reddy commented on TEIID-2311:
-------------------------------------

See https://docs.jboss.org/author/display/TEIID/XML+Definition if you are working with Dynamic VDBs.

Also, tooling support for this feature is available from 8.2 Alpha2 version or greater. Just go the VDB explorer window, where you define the data roles, and you will be able to define the conditions too in there. 
                
> Add simple row based security to data roles
> -------------------------------------------
>
>                 Key: TEIID-2311
>                 URL: https://issues.jboss.org/browse/TEIID-2311
>             Project: Teiid
>          Issue Type: Feature Request
>          Components: Query Engine
>    Affects Versions: 8.2
>            Reporter: Steven Hawkins
>            Assignee: Steven Hawkins
>             Fix For: 8.3
>
>
> A common request is to implement row based security.  The common workaround of modifying transformations is generally not a good solution.
> We should look at adding support for simple table filters and column masks.
> To be effective, filtering permissions however would have to act differently than normal data roles.  They would need to be applied all the time - and not just against the end user queries.
> For example, for tables:
>  <permission>
>    <resource-name>SCHEMA.TABLE</resource-name>
>    <filter>COLUMNA=2</filter>
>  </permission> 
> Meaning allow the CRUD of the given row only if COLUMNA has the value of 2.  Any valid predicate against just the referenced table would be allowed as a filter.  Each such permission would be applied as an additional predicate any time the table is referenced (in views, inserts, updates, deletes, etc.).  
> Allows would not be specified here as we want the filter to always specify inclusion.  Any applicable permissions in additional roles would be applied disjunctively - filter OR filter.  
> We could possibly support column masks via case expressions, such as:
>  <permission>
>    <resource-name>SCHEMA.TABLE.COLUMN</resource-name>
>    <mask>CASE WHEN ...</mask>
>  </permission> 
> However this is slightly more complicated.  Presumably the mask would only apply to projection and makes more sense to be applied at the final output/user query (more like a data role).  
> If we work the issue to specify the object type of a permission, then the name could alternatively refer to datatype or even an extension property to make the masking a little easier.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira


More information about the teiid-issues mailing list