4.6.5 VPM Example

Walkthrough

In the following example, you will create a VPM that implements the following restrictions:

The 'customer_id' column in the 'customers' table will be hidden from all users except those with the 'Administrator' role.

Information about California customers will be hidden from all users except those with the 'CASalesDept' role.

A security provider is required in order to use VPM security. See Specifying a Security Provider in Administration Reference for more information.

To begin, create a new user and role in your security model. (If you are using default security provider, do this from within Enterprise Manager. See Creating and Editing Roles in Administration Reference for instructions.)

1. Create a new role called “CASalesDept”. Users who are assigned this role will have access to information about all of the customers in the state of California.

2. Create a new user “Eric,” and assign him the role of “CASalesDept”.

You will now define a VPM that operates on the 'customers' table. It will hide the 'customer_id' field from all users, and hide California customer information from unauthorized users.

3. Open the Asset panel, and expand the 'Data Source' node.

4. Right-click the 'Orders' node, and select 'Add Virtual Private Model' from the context menu. This opens the 'Virtual Private Model Wizard'.

5. Name the new VPM “Customers”. Notice that a short description for the VPM can also be added in this wizard.

 

6. Click on the 'Finish' button. This opens the new VPM for editing.

7. Click the Conditions tab at the bottom of the VPM editing panel.

8. Click on the 'New' button. This opens the 'New Condition' dialog opens.

9. Name the new condition “NotCA” and click on the 'OK' button.

 

10. Click the 'Choose Table' button. This opens the 'Select Table' dialog box.

 

11. Select the 'SA.customers' table and click on the 'Finish' button.

12. Specify the following condition and click the 'Append' button:

[sa.customers.state] [is not] [equal to] ['CA']

 

13. Click the Trigger tab and add the following script:

var newcond = condition;

for(var i = 0; i < roles.length; i++) {

  if(roles[i] == 'CASalesDept') {

    newcond = "";

    break;

  }

}

newcond;

 

This script tests all of the roles assigned to the current user. If one of these roles is 'CASalesDept', then the condition specified earlier (and provided to the script as variable condition) is replaced with an empty string, indicating a null condition. The effect is that no state filtering occurs for a user with role 'CASalesDept'.

To achieve the same result without using a trigger script, join (“and”) the following clause to the original condition: [Roles] [is not] [equal to] ['CASalesDept']. (To select the 'Roles' option in the left-menu, first choose the 'Session Data' option from the adjacent pop-up menu.)

 

14. Select the Hidden Columns tab.

15. Select 'sa.customers.customer_id' field from the list of 'Available Columns' and click on the right-arrow button to add the field to the list of 'Hidden Columns'.

16. Select 'Administrator' from the list of 'Available Roles' under 'Grant access to'. Click the right-arrow button to grant permission to the 'sa.customers.customer_id' field to all users having role 'Administrator'.

 

17. Click the Lookup tab (at bottom) and notice that the 'SA.customers' table is included in the list of lookup tables. All tables having conditions or hidden columns will appear in this list.

18. Click the Test tab (at bottom), and select 'Role'.

19. Select 'Administrator' from the list of roles and click on the 'Test' button. Users with 'Administrator' role do not see California data because of the 'customers.state' condition. However, because no hidden columns are listed here, they are able to see the 'customers.customer_id' field.

 

20. Now select 'CASalesDept' from the list of roles and click on the 'Test' button. Users belonging to this role do not have the 'customers.state' condition applied to their query. This is because of the condition trigger script. However, the 'customers.customer_id' column is hidden from all of these users.

 

21. Select the 'User' button, and choose 'Eric' from the user list. Click 'Test' and confirm that Eric's permissions are the same as those for the role of 'CASalesDept' because Eric has been assigned this role.

22. Select the 'Role' button again. Choose 'Everyone' from the role list and click on the 'Test' button. Notice that the 'customers.state' condition as well as the 'customers.customer_id' hidden column are applied to queries from users having this role.

 

23. Click on the 'Save', button on the Style Studio toolbar to save the changes made to this VPM.

<< Condition Trigger © 1996-2013 InetSoft Technology Corporation (v11.5) 4.6.6 VPM Filtering of Unparsable Queries >>