niota

Row level security feature is a catalog-object level setting which is an additional row-level filter applied on the instances of the catalog object. This feature is based on tokens. Tokens are assigned with user-groups - token values are defined in this relationship. That means each user-group can have different values for the same token name. Tokens are also assigned with catalog objects - more catalog objects can share the same token. RLS token value became a part of the WHERE clause of the SELECT statement behind the grid.

If more RLS tokens are defined for the same catalog object then those are joined with AND keyword.

Numeric, textual type and NULL value RLS token settings are applied. If a token value assignment contains more data types then it is treated as invalid. Numeric values must be written between round brackets. E.g.: (1234). If a number is defined without round brackets then it is treated like a string. NULL value is indicated by ~ (tilde) character.

Tokens in the meta db tables:

et_security_token [tokenname, description, token_type, ind_active]

Token assignment with user-groups

Note: token values are defined in this table.

et_usergroup_token [usergroupname, tokenname, tokenvalue, description, ind_active]

Token assignment with catalog objects

et_catalog_object_column_prop [catalog_id, column_name, …, token_name_rls, ind_active_rlstoken]

Sample configuration:

et_security_token

Value token_type = 0 stands for RLS token type.

et_usergroup_token

et_catalog_object_column_prop

Configuration upwards leads to a SELECT stmt like this if the user is part of my-group:

SELECT country_code, … FROM <db objet of catalog id 1000> WHERE (country_code in ('AU', 'HU')) …;

Sample stmt with tokens COUNTRY and ITEMID applied:

SELECT country_code, item_id, … FROM <db objet of catalog id 1000> WHERE ((country_code in('AU')) AND (item_id = 1234)) …;