We are looking to enforce row-level security in our model.
Just to give more details:
We have users that belong to a certain ERP. We want to give permissions to users so that they can edit only rows/records that belong to their ERP System Code.
As you can see, the parent entity - Entity A , which is at product-ERP System Code level , has an ERP System Code. We intend to leverage that to ensure that a user is able to edit only records for the ERP System Code for which the user is assigned to.
We intend to create a role for each ERP System and assign users to these roles. Our plan is to use the 'Model Variables' to get the role assigned to a user and use that to know the ERP System Code that a user is allowed to make edits ( a table in schema which maps a role to ERP System code).
Our question:
a) Can we use the relationship between parent and child to enforce similar row-level security that even in Child Entity B & in Entity C, the user is restricted to modify only the child records of rows , which belong to ERP System code he is entitled to modify ?
Or do we need to add a field 'ERP System Code' in each of the Child entity too if we are looking to leverage ERP System Code value to enforce row level security ?
b) Will this approach ( of model variables ) work even if a user is potentially assigned to multiple roles and hence has multiple ERP Codes whose rows he can modify ?
To rephrase, can the model variable store more than one value and apply behind the scene , the conditions in that Sqls as an IN statement rather.
Thanks for the help.
Best Answer
B
Bharat Joshi
said
9 months ago
Hello Sumit
Instead of using model variable you can directly achieve this by just adding the below semql condition in your filter of entity privileges
And to answer your first question yes yu need to add the filter in child entity as well to enable the accessibility
Instead of using model variable you can directly achieve this by just adding the below semql condition in your filter of entity privileges
And to answer your first question yes yu need to add the filter in child entity as well to enable the accessibility
2 people like this
S
Sumit Chandra
said
9 months ago
Hi Bharat -
Thanks for the response . Very helpful indeed and we will look into it.
I have another question.
While defining SemQL condition in filter of entity privileges - Is it possible to refer to a field of other entity ?
For example :
Can I write something along below line - where I am restricting fields of a child based on IDs of parent ? The IDs of parent are restricted based on a condition.
Thanks for your time again
S
Sumit Chandra
said
9 months ago
Hi Bharat
I think the answer is Yes.
I see that parent fields are available to expand and use
B
Bharat Joshi
said
9 months ago
Hi Sumit
Yes that is very much possible in my first reply i have shown the screenshot where the parent attribute is used in child entity for restriction
Sumit Chandra
Hi -
We are looking to enforce row-level security in our model.
Just to give more details:
We have users that belong to a certain ERP. We want to give permissions to users so that they can edit only rows/records that belong to their ERP System Code.
As you can see, the parent entity - Entity A , which is at product-ERP System Code level , has an ERP System Code. We intend to leverage that to ensure that a user is able to edit only records for the ERP System Code for which the user is assigned to.
We intend to create a role for each ERP System and assign users to these roles. Our plan is to use the 'Model Variables' to get the role assigned to a user and use that to know the ERP System Code that a user is allowed to make edits ( a table in schema which maps a role to ERP System code).
Our question:
a) Can we use the relationship between parent and child to enforce similar row-level security that even in Child Entity B & in Entity C, the user is restricted to modify only the child records of rows , which belong to ERP System code he is entitled to modify ?
Or do we need to add a field 'ERP System Code' in each of the Child entity too if we are looking to leverage ERP System Code value to enforce row level security ?
b) Will this approach ( of model variables ) work even if a user is potentially assigned to multiple roles and hence has multiple ERP Codes whose rows he can modify ?
To rephrase, can the model variable store more than one value and apply behind the scene , the conditions in that Sqls as an IN statement rather.
Thanks for the help.
Hello Sumit
Instead of using model variable you can directly achieve this by just adding the below semql condition in your filter of entity privileges
And to answer your first question yes yu need to add the filter in child entity as well to enable the accessibility
1 person has this question
- Oldest First
- Popular
- Newest First
Sorted by Oldest FirstBharat Joshi
Hello Sumit
Instead of using model variable you can directly achieve this by just adding the below semql condition in your filter of entity privileges
And to answer your first question yes yu need to add the filter in child entity as well to enable the accessibility
2 people like this
Sumit Chandra
Hi Bharat -
Thanks for the response . Very helpful indeed and we will look into it.
I have another question.
While defining SemQL condition in filter of entity privileges - Is it possible to refer to a field of other entity ?
For example :
Can I write something along below line - where I am restricting fields of a child based on IDs of parent ? The IDs of parent are restricted based on a condition.
Thanks for your time again
Sumit Chandra
Hi Bharat
I think the answer is Yes.
I see that parent fields are available to expand and use
Bharat Joshi
Hi Sumit
Yes that is very much possible in my first reply i have shown the screenshot where the parent attribute is used in child entity for restriction
-
Extend a model with new entities or attributes
-
Data types in xDM
-
Effective date on entities
-
Search using wild cards
-
Export a model from production and import on a development environment
-
"Allow Delete" vs "Allow Removal" privileges
-
LOV label in Named Query
-
Select location on a map and save coordinates
-
Is there a way to set up a master-detail relationship on browse mode?
-
Choose Either a Stepper or A Workflow Based on The User Privileges
See all 268 topics