===== configure Row Level Security (RLS) feature =====

Row level security feature is a catalog-object level setting which is an additional row-level filter applied on the instances of the catalog object. This feature is based on tokens. Tokens are assigned with user-groups - token values are defined in this relationship. That means each user-group can have different values for the same token name. Tokens are also assigned with catalog objects - more catalog objects can share the same token. RLS token value became a part of the WHERE clause of the SELECT statement behind the grid.

If more RLS tokens are defined for the same catalog object then those are joined with **AND** keyword.

Numeric, textual type and NULL value RLS token settings are applied. If a token value assignment contains more data types then it is treated as invalid. Numeric values must be written between round brackets. E.g.: (1234). If a number is defined without round brackets then it is treated like a string. NULL value is indicated by ~ (tilde) character.

**Tokens in the meta db tables:**

//et_security_token// [tokenname, description, token_type, ind_active]

**Token assignment with user-groups**

Note: token values are defined in this table.

//et_usergroup_token// [usergroupname, tokenname, tokenvalue, description, ind_active]

**Token assignment with catalog objects**

//et_catalog_object_column_prop// [catalog_id, column_name, ..., token_name_rls, ind_active_rlstoken]


**Sample configuration:**

et_security_token
^ tokenname      ^ description     ^ token_type         ^ ind_active     ^
| COUNTRY        | country RLS   | 0                    | 1              |

Value token_type = 0 stands for RLS token type.

et_usergroup_token 
^ usergroupname   ^ tokenname         ^ tokenvalue       ^ description                        ^ ind_active     ^
| my-group       | COUNTRY            | AU                | string definition                 | 1              |
| my-group       | COUNTRY            | HU                | string definition                 | 1              |
| my-group       | ITEMID             | (1234)            | numeric definition                | 1              |
| my-group       | NUMBERASSTR        | 1234              | number will be treated as string  | 1              |
| my-group       | NULLRLS            | ~                 | null definition                   | 1              |

et_catalog_object_column_prop
^ catalog_id      ^ column_name     ^ token_name_rls         ^ ind_active_rlstoken     ^
| 1000            | country_code   | COUNTRY                 | 1              |

Configuration upwards leads to a SELECT stmt like this if the user is part of //my-group//:

SELECT country_code, ... FROM <db objet of catalog id 1000> WHERE **(country_code in ('AU', 'HU'))** ...;

Sample stmt with tokens COUNTRY and ITEMID applied:

SELECT country_code, item_id, ... FROM <db objet of catalog id 1000> WHERE **%%(%%(country_code in('AU')) AND (item_id = 1234)%%)%%** ...;