I have question related to business rules. Let's have a entity Account with some properties (amount, name, type etc.) on which we define business rules.
I store my rules in database table as follows
Rule_id | Field | Operator | value .
Rule can be like , amount > 1000, name ="abc", type="x" etc.
Rules are grouped and mapped to a user.
Account are created in system, and admin has to approve them. When admin login based on his rule set, admin should see relevant accounts.
Like if admin rule set is amount>500, then any account less 500 is not shown to him.
My question is best way to implement it in database, how to query so that relevant accounts can be fetched depending on underlying rule set.
create a user table something like this
users
userId | Username | UserType | Rule_id
when a user log-in, join the user table with rule table on Rule_id
and generate the condition using a query like this
select 'Select * from Account where '+Field+Operator+value from rules
where Rule_id=1
The result of this query will give another sql query on executing the same will fetch the accounts that are accessible for that user
result of the above query
Select * from Account where amount>1000
What you describe is quite similar to Oracle's Fine-Grained Access Control (AKA Virtual Private Database). This is primarily a security tool, but it could be used to enforce generic business rules. Find out more.
Even if you choose not to use FGAC (or can't because you don't have Enterprise Edition) it will give you some hints about how to implement a solution: use sys_context and namespaces to hold the rules, and views referencing sys_context functions to enforce them.
Related
Given my tabular model, I'm attempting to write a measure that changes behavior, depending upon which role the effective user belongs to. This isn't traditional row-level security (RLS) since I'm not trying to filter by role; just do an if-else, instead.
I've come across the following solution at https://community.powerbi.com/t5/Desktop/DAX-Expression-For-Role-Level-Security-Using-DirectQuery/td-p/489699, which I believe will work, but I'd prefer querying active directory to see if the user belongs to said role, rather than another table on the model.
I've also seen some articles (i.e. https://community.powerbi.com/t5/Desktop/How-to-leverage-Active-Directory-to-filter-the-data-in-Power-BI/td-p/140479) about getting attributes from active directory for Power BI, but nothing that exposes the DAX being used.
Bottom line, if I could get a role name in DAX or call a function to check if the user is in a role, I'd be golden (assuming performance isn't compromised).
Edit: I should add that I'm currently leveraging one of three functions to get the user. USERNAME(), USEROBJECTID(), and USERPRINCIPALNAME().
I ended up giving up on leveraging active directory and did what it appears everyone else is doing (as seen in one of the links posted in my question).
For reference, here's a snippet that illustrates the solution:
EVALUATE
SUMMARIZECOLUMNS (
"Some Measure",
IF (
LOOKUPVALUE('My User'[UsePrivilegedValue], [Name], USERNAME()),
SUM('Some Fact'[PrivilegedValue]),
SUM('Some Fact'[OtherValue])
)
)
I have a BSO cube and it's Org hierarchy is set like below:
Org:
totalUS
US
US retail
Us non retail
A1
B1
C1
D1
D_001
the user group should only see data for #IDescendants(US non retail) and Idescendants(D1).The user wants totalus hidden too.
My Maxl script is:
grant read on database 'Test'.'Test' to group 'Test';
create or replace filter 'Test'.'Test'.'MetaTest'
meta_read on '#IDESCENDANTS ("US non retail"),#IDESCENDANTS("D1")' ;
grant filter 'Test'.'Test'.'MetaTest' to group 'Test';
Still my Smart view pull shows data and member name for totalus,totalus is sibling of A1,B1,C1,D1.
Please help me!
You need to change your filter to disallow access to the #IDESCENDANTS("TotalUS") and then have the metaread. Just because the metaread focuses on a different hierarchy doesn't mean that you've addressed the other elements in the hierarchy, which is what you need to do. The Essbase admin guide talks about some of the fundamentals of filters, including this.
In a multiple decision profile scenario I want to create a policy for a particular Tenant and for the root resources like Customer. Here my scenario is like I have a Tenant T1 and Tenant T1 is allowed to access Root resource Customer. Customer is the Top level resource and it will contain sub child resources like: Sub-Resources: name, email. In my scenario how can i create a policy so that i can enforce multiple rules for each sub resources like:
Rule-1:
Admin Permit access to resource-
{name: create,read,update,delete},
{email: create,read,update,delete}
Rule-2:
Employee Permit access to resource-
{name: read,update},
{email: read}
Please share the policy structure and the Request format for the same.
In the request format i want to pass only the Tenant Id and the Root level resource Customer .
In this scenario, what you would want to do is pass in the field id you are interested in.
The request would be: "Can Alice view the name field of customer record #123"?
You could express this as a multiple decision request e.g.:
"Can Alice view the name, email, and job title fields of customer record #123"?
Either way your policy would be field-centric. It would protect a given field or set of fields. You could actually define a set of non-sensitive fields and a set of sensitive fields. You could also even write the policy in terms of field metadata. Instead of saying "a user can view field 'email'", you could write "a user can view a field if the user's clearance > field's sensitivity".
Alternatively, you could also use Reverse Query - that's specific to Axiomatics' APIs though. Reverse Query lets you do the following type of requests / responses:
Q: list the fields Alice can view
A: name, email
I can succesfully authenticate my application with ApacheDS
But now i use only one domain.
I want to add subdomains or sub organizations under root domain.
For example a root organization as
dc=example,dc=com
and sub organizations dc=x
another sub organization dc=y
Now i can authenticate users using uid attribute
like:
user-search-filter="(uid={0})"
i use login name like user1, without an # extension
But i want to have suborganizations and i want to use user1#x.example.com
Is it possible and how?
My application is a spring application but i think subject is independent from my application side.
The attribute defined in the LDAP standards track for email addresses is mail, rfc822mailbox, or 0.9.2342.19200300.100.1.3 as defined in RFC4524. Perhaps your filter should be an attribute assertion using one of those types, for example, user-search-filter="mail={0}".
I am not sure what is meant by "manually". LDAP does not have a concept of organizations, only entries that might belong to an organization. These entries might have a mail attribute if the entry belongs to an objectClass that allows or requires the mail attribute. In other words, if your filter is mail={0} (which might become mail=user1#x.example.com), then a search using that filter (given the appropriate base object and scope) will return all entries that have a mail attribute with the value user1#x.example.com irrespective of where that user is located and irrespective of the value of the uid attribute.
If the users in an organization can identified some other way, perhaps by organization or other attribute, then the filter could be:
(&(uid={0})(o=x))
or
(&(uid={0})(o=y))
One way or another, the users' entry must be identifiable by the contents of the entry. The primary key in an LDAP database is the distinguished name (uid=abc,dc=x,dc=example,dc=com) but attributes in the entry can be used to tighten the filter. Some alternatives are:
use unique identifiers (all uid or mail values are unique in the database, therefore, only one is ever returned to a search request)
use an attribute to identify users in an organization (like o in the example filters above)
use a dynamic group to generate a list of users in an organization.
consider using an extensible match filter to make values in the distinguished names be part of the filtering process
see also
using ldapsearch - the article is about the ldapsearch command line tool, but the concepts are useful when constructing search requests
mastering search filters
It's fairly obvious how to model a database table that would act as an access control list (ACL) when you're just dealing with discrete users who have some level of access to a discrete resource. Something like this:
TABLE acl (
user_id INT,
resource_id INT,
access_type INT
)
... where access_type is a number representing something like:
0 (or lack of record for user_id and resource_id) means no access
1 means read-only
2 means full control
However it starts getting trickier when you've got scenarios like users can be a member of one or more groups and groups can contain other groups. Then a resource could be a folder that contains other resources.
Other than the obviously poor approach of doing a whole bunch of recursive queries at runtime to determine the level of access a user should have to a resource, how do these scenarios tend to get handled? Are there commonly-accepted designs for modelling an ACL like this?
Are you using a DB with support for connect by, or something similar?
In oracle, I've implemented the following.
Table Group //Just the parent groups
{
groupCode varchar
groupDesc
}
Table groupMap //associates groups with other groups
{
parentGroup
childGroup
}
table userGroup //can assign user to more than one group
{
userId
groupCode
}
then use connect by to get all child groups for user
SELECT rm.CHILDGroup as roleCode
FROM groupMap rm
CONNECT BY PRIOR rm.CHILDGroup = rm.PARENTGroup
START WITH rm.CHILDGroup in
(SELECT ur.groupCode
FROM userGroup ur
WHERE ur.userId = &userId);
This query will get all the groups that were assigned to the user in userGroup and all the child groups assigned to the groups that the user belongs to.
Spring ACL is a solid implementation of ACL with inheritance for java. It is open source so I would check it out if it is what you are looking for.