Instance-level authorization...
Hi, i'm working on an application using Toplink. We connect to the database using an internal connection pool with a common user/password. We need to filter any results returned to the client based on the requesting user's authorizations, probably using an ACL with privileges, principals, etc. So for instance, a query might return a list of Report objects but the user can only see a subset of the list. This application is not using EJB. Has anyone implemented something like this? i was thinking of either a custom built solution within this application or extending JAAS.
Any suggestions would be greatly appreciated.
-Tim Watson
Yes, without VPD you will need to engineer some way to filter the data at the database level.
Potentially other Fine Grained Access control is available ( database dependant), or you could create TopLink queries that filter directly based on the user that is executing them. For example you could add an extra field to the selection criteria and provide the user specific value in the row passes to executeQuery
ReadObjectQuery roQuery = new ReadObjectQuery(IsolatedClass.class);
ExpressionBuilder builder = roQuery.getExpressionBuilder();
Expression expression = builder.get("name").equal(builder.getParameter("NAME"));
expression = expression.and(builder.getField("SEC_ROLE").equal(builder.getParameter("Sec_Role")));
roQuery.addArgument("NAME");
roQuery.addArgument("Sec_Role");
Vector arguments = new Vector(2);
arguments.set(0, "Bob");
arguments.set(2, currentUser.getSecurityRole());
clientSession.executeQuery(roQuery, arguments);--Gordon
Similar Messages
-
Row-/instance-based authorization
Hi,
I'm looking for ways to implement row-/instance-based authorization using Toplink 9.0.4+ and Oracle DB 9.204. The domain objects are represented by standard Java objects (POJO's) not entity-beans.
My question: what are well-know working approaches to implement this? How did you do that in a project using Toplink and POJO's?
I guess Label security/Virtual Private Databases would be interesting to consider. But I wonder if it's possible to use that with Toplink. Issues that I see right now:
- how to propagate the credentials of the user to the database and still use connectionpooling?
- can Toplink generally make use of Label Security
Another approach would be to implement a JAAS extension following the lines of the article "Extending JAAS for class-instance authorization" http://www-106.ibm.com/developerworks/java/library/j-jaas/
I expect this can easily result in a separate query per object. Which probably results in atrocious performance.
Or this could be implemented by an aspect. But still this would probably necessitate n+1 queries for n objects. In other words: this would still let the appserver do the constraining of results while that is right task for the database of course.
Your comments and advice are highly appreciated,
Joost de Vries
the NetherlandsThe main decision to make is whether to handle the instance level security in the application, or the database.
As you mentioned there are many ways to handle security in the application.
Oracle database supports VPD and OLS for row level security. The TopLink 10g 10.0.3 preview has added support for this refer to:
http://otn.oracle.com/products/ias/toplink/preview/index.html -
Hi Gurus,
Can you explain me how to proceed forward inrelation to Field Level Authorizations in SAP HR. For instance I want to restrict roles of individuals based on Field for example restrict users based on Field Workschedule in IT 0007 ( Planned Working Time).
Regards,
HappyAUTHORITY-CHECK OBJECT 'S_TABU_LIN'
ID 'ORG_CRIT' FIELD 'MOLGA'
ID 'ACTVT' FIELD '03'
ID 'ORG_FIELD1' FIELD '10'
ID 'ORG_FIELD2' FIELD '*'
ID 'ORG_FIELD3' FIELD '*'
ID 'ORG_FIELD4' FIELD '*'
ID 'ORG_FIELD5' FIELD '*'
ID 'ORG_FIELD6' FIELD '*'
ID 'ORG_FIELD7' FIELD '*'
ID 'ORG_FIELD8' FIELD '*'.
IF sy-subrc NE 0 .
MESSAGE e000 WITH 'No Authorization for area' v_text.
ENDIF.
Use S_TABU_LIN authority object for field level authorizations. -
Direct database data access without data level authorization check
Hello,
My customer raised issue about direct database data access. Due to the customeru2019s strong security policy, it shouldnu2019t be allowed.
To prevent this kind of illegal data access, customer ask me to list up all the possibilities to display data without data level authorization check.
The things in my mind are
SQL Command Editor (for Oracle based system) : ORASPACE, DB02, ST04
Query Based : SQVI (Quick Viewer), SQ01/SQ02/SQ03 (SAP Query)
Data Browser : SE11, SE12, SE16, SE16N, SE17
Table Maintenance : SM30
Function Module : RFC_READ_TABLE
Function Module : DB_EXECUTE_SQL (DML)
Anyone knows anything which is not listed above?
ThanksHI,
Generally in production user's should not be given all these authorizations.
Ram. -
Organization level authorization restrictions
Hello All,
Please can you let me know
1) f it is possible to org level authorization restrictions for CLM documents and master data without any development?
- E.g. while creating suppliers the user should only be able to create for the Company assigned to the user id?
2) What is the significance of the company and organization unit fields in the user account information page?
Regards,
Subramaniam IyerHi ,
Could you share about your solution ? I think I have face the same problem as yours. -
One of My application I plan to give the tab level authorization. I used two level tabs.
for example, the sub tabs are like aa,bb,cc. I need to write the authorization schemes and I need to get the tab name dynamically here to show this tab for only few users. This scheme will be seleted for all the tabs.
When I try with :app_tab_id, :parent_tab_cells bind variables, it's not working properly. Any one can suggest me how can I refer the tabname or tab label (like for page we are using app_page_id)
Advance thanks for your help
BalajiBalaji:
I don't understand why you need to know the current-tab etc.
Authorizations can be applied at the tab level declaratively (in the tab's defintion).
So, your authorization should simply be something like 'return true for user1, user2, user3...' and this authorization should be specified as the 'Authorization' for the tab's authorization.
Varad -
Object level authorization for SLT Configuration schema in HANA DB
Hi All,
We have connected SLT with HANA DB (& ECC as source system).
Now for certain users we wanted to restrict the access for certain tables ( tables owned by SLT Schema, i.e schema created in HANA DB with the configuration name provided in the SLT configuration).
With the SYSTEM user object level authorization's of another schema is not possible hence , an error is thrown when we are trying to provide/control the access of single table for a user.
Is it ok that we generate a password for SLT schema and try login with schema owner. Is it the best practice or Is there any other way around.
Regards,
KumarHi Santosh,
You can find more info about SLT Roles and Authorization from below security guide.
http://help.sap.com/hana/SAP_HANA_Security_Guide_Trigger_Based_Replication_SLT_en.pdf
Regards,
V Srinivasan -
"Low-level" authorizations for accessing BW reports - add users to role
Using the advice in Topic "Low-level" authorizations for accessing BW reports, I have been able to publish a query to a role that has 3 test users and each user gets the same query but with different data, as determined in the tables.
Is there a way to look up the users and e-mail addresses from a table and associate them to the role? We have several hundred e-mail recipients that will not need BW access, but only need an e-mail with a static report that contains data on their own territories.Hi!
i think programatically it might be complex. You got to maintain a seperate variant of report per user and use this variant to send mail. that means you need to maintain a variant and a Broadcast setting per user. once maintained you can use it any number of times the values will be recalculated everytime.
with regards
ashwin
<i>PS n: Assigning point to the helpful answers is the way of saying thanks in SDN. you can assign points by clicking on the appropriate radio button displayed next to the answers for your question. yellow for 2, green for 6 points(2)and blue for 10 points and to close the question and marked as problem solved. closing the threads which has a solution will help the members to deal with open issues with out wasting time on problems which has a solution and also to the people who encounter the same porblem in future. This is just to give you information as you are a new user.</i> -
Is it possible to set character set at instance level?
hi all,
I have some confusion.
say my database character set is AL32UTF8.
and i want tio set charcter set of instance is WE8MSWIN1252
Is it passible to set character set at instance level?
Please reply with yes or No or why?
Thanks & Regards,Hi,
It's DataBase Level. One best example would be when you try to change the character or characterset conversion by using "Csscan" you can check the log or report. Which can guide what the things are happening. Instance - I think you might be referring to "Session".
- Pavan Kumar N
- ORACLE OCP - 9i/10g
https://www.oracleinternals.blogspot.com -
SM30 Field level authorization check
Hi,
I have a requirement to add the authorization check in SM30 for the company field in the custom table. Please suggest.
Thanks,
Gagan ChodhryHi,
I have this requirement for both type of tables i.e. custom as well as standard. Tables has got field profit center.. I need to show the table based on the loggedin user authorization to the profit center.
If it is a custom table then as mentioned by Siva, there is a way I heared that we can check the authorization in PAI event, but when I tried to do a small test, I could get the field symbol with the values, but I was not able to skip that record for disply.
If anyone can send the sample or the way to skip the record based on the check.
Also is there any other way to add the field level authorization to custom and standard tables...
Thanks,
Gagan Chodhry -
Need Instance level failover in Windows Azure
Hi,
I have windows azure and sql server 2008 r2. I need to incorporate instance level failover (like widows failover cluster). How do i configure failover cluster in windows azure.
Please dont recommend as Always on. since it has only DB level failover. But i need instance level failover. Please recommend if there is any other alternatives other than windows cluster failover.
Thanks,
Saravanan
Please vote if you find this posting was helpful or Mark it as answered.Hi Durai,
According to your description, since the issue regards Windows Azure SQL Database. I will help you post the question in the Windows Azure SQL Database forums at
http://social.msdn.microsoft.com/Forums/en-US/home?forum=ssdsgetstarted. It is appropriate and more experts will assist you.
We need to verify if you install SQL Server in the Windows Azure Virtual Machines, and the High Availability and Disaster Recovery (HADR) solutions for SQL Server in Windows Azure Virtual Machines include AlwaysOn availability
groups ,database mirroring ,log shipping , and backup and restore with Windows Azure Blob Storage Service.
Most SQL Server features are supported on Windows Azure Virtual Machine with some exceptions.
However, SQL Server Failover Clustering is not supported.
For more information, see:
http://support.microsoft.com/kb/2721672/en-us
Regards,
Sofiya Li
Sofiya Li
TechNet Community Support -
I am trying to find a way to access the instance of a Resource in an AuthorizationProvider
in order to be able to determine if a specific user can access one instance of
that resource.
Example, my Resource is an EntityBean named: TestEntityBean, the code is as follow:
public abstract class TestEntityBean implements EntityBean{
// some defaul methods
public java.lang.Long ejbCreate(Long key, String name) throws CreateException
System.out.println("TestEntityBean.ejbCreate");
setSecurityid(key);
setSecurityname(name);
return getSecurityid();
public abstract Long getSecurityid();
public abstract void setSecurityid(Long securityid);
public abstract String getSecurityname();
public abstract void setSecurityname(String securityname);
public void ejbPostCreate(Long key, String name) throws CreateException {
System.out.println("TestEntityBean.ejbPostCreate");
I am using CMP, and my DB is ORACLE. When my authorization provider intercepts
the request to getSecurityName() I can see:
This defines my resource being used (aka my TestEntityBean and the method) but
how can I find out what is the EntityBean content? i.e. for example how can I
define what is the primary key of this object?
If I am offline, would u have recommendations on how to implement an instance
based authorization model? (ref to articles...?)
Thank youThis is what the AuthorizationProvider named MmlFileAuthorizationProviderImpl gives
me:
MmlFileAuthorizationProviderImpl.isAccessAllowed
subject = Subject:
Principal: user1
Principal: myGroup
Principal: developers
Principal: mySecondGroup
Private Credential: principals=[user1, myGroup, developers, mySecondGrou
p]
roles = Anonymous,writer_user,reader_user,creator_user
resource = type=<ejb>, application=_appsdir_mml_ear, module=tests
ecurity.jar, ejb=TestEntityEJB, method=getSecurityname, methodInterface=Local,
s
ignature={}
direction = ONCE
handler = weblogic.ejb20.internal.DummyContextHandler@1c32369
MmlFileAuthorizationProviderImpl.isAccessAllowed
subject = Subject:
Principal: user1
Principal: myGroup
Principal: developers
Principal: mySecondGroup
Private Credential: principals=[user1, myGroup, developers, mySecondGrou
p]
roles = Anonymous,writer_user,reader_user,creator_user
resource = type=<ejb>, application=_appsdir_mml_ear, module=tests
ecurity.jar, ejb=TestEntityEJB, method=getSecurityname, methodInterface=Local,
s
ignature={}
direction = ONCE
handler = weblogic.ejb20.internal.EJBContextHandler@1372a7a
Resource hashcode: -1318771256
ID: 2145579658558124
Type: <ejb>
Keys[0]: application
Keys[1]: module
Keys[2]: ejb
Keys[3]: method
Keys[4]: methodInterface
Keys[5]: signature
Values[0]: appsdirmml_ear
Values[1]: testsecurity.jar
Values[2]: TestEntityEJB
Values[3]: getSecurityname
Values[4]: Local
Values[5]: {}
Looking for policy for resource(type=<ejb>, application=_appsdir_mml_ear, module
=testsecurity.jar, ejb=TestEntityEJB, method=getSecurityname, methodInterface=Lo
cal, signature={})
I get all the information about the resource ... i.e. which entitybean object
is being used, but I can not have access to nay of the bean onformation, and this
is what I need to enable Instance base Authorization for this bean.
Basically how else can I say:
User Paul can do anyhting with this TestEntityBean being object "123" ?
User Jonh can only read the TestEntityBean "123" but can access and write in all
other bean TestEntityBean ?
Am i making sense? Can anyon help?
"Seyvet" <[email protected]> wrote:
>
I am trying to find a way to access the instance of a Resource in an
AuthorizationProvider
in order to be able to determine if a specific user can access one instance
of
that resource.
Example, my Resource is an EntityBean named: TestEntityBean, the code
is as follow:
public abstract class TestEntityBean implements EntityBean{
// some defaul methods
public java.lang.Long ejbCreate(Long key, String name) throws CreateException
System.out.println("TestEntityBean.ejbCreate");
setSecurityid(key);
setSecurityname(name);
return getSecurityid();
public abstract Long getSecurityid();
public abstract void setSecurityid(Long securityid);
public abstract String getSecurityname();
public abstract void setSecurityname(String securityname);
public void ejbPostCreate(Long key, String name) throws CreateException
System.out.println("TestEntityBean.ejbPostCreate");
I am using CMP, and my DB is ORACLE. When my authorization provider
intercepts
the request to getSecurityName() I can see:
This defines my resource being used (aka my TestEntityBean and the method)
but
how can I find out what is the EntityBean content? i.e. for example how
can I
define what is the primary key of this object?
If I am offline, would u have recommendations on how to implement an
instance
based authorization model? (ref to articles...?)
Thank you -
Database Level Tracing or Instance Level Tracing
Hello,
How do I know whether database level tracing or instance level tracing is enabled ? This is on 10g R2
Thanks,
RI amnot sure that I have heard about instance level tracing but normally tracing is enabled either through sql_trace parameter set in the parameter file or through some trace event. So you need to check your parameter file for any such setting.
HTH
Aman.... -
Hi I am using OBIEE 11.1.1.5.
I want to set the row level security and also with multiple level. for example i have one sales dashboard, i have entered using sales person id then the dashboard shows for the particular salesman sales details and i have entered as zonal sales manager then the dashboard shows the details of sales men under my zonal or i have entered to dashboard using the regional sales id i can able to view the all the regional information. How can achieve this.
For single level authorization i can used the row level security. but multiple level how is it possible?
Regards
GauthamanYou can set up a initialization block to set up values for three variables.
1) GROUP
2) LEVEL or COLUMN_NAME
3) COLUMN_VALUE
In your single level authorization you will intialize only 1 and 3 variables, here intialize second one also and use it in the filter clause.
like COLUMN_NAME = COLUMN_VALUE -
Hi Guru's,
I have a query regarding Object level Authorizations i.e i have created one query with variable Plant now i need to rollout to single query to all plants and respective person only can able to view their plant values....so i need to create 0plant as Auth relavent for that i use RSSM t.code but there i am not able to see the 0plant object .....please for Object level authorizations how can i proceed ...
Regards
Jagadeesh.MHi Anil,
I did following steps please go through it once and suggest me
1. Change 0Plant to Auth Relavent in Object.
2. RSSM tcode create a Z_plant and select 0plant and infocube and query objects and save it.
3. then back to rssm and check the infoprovider
4. create a Auth variable in bex
5.assign that query to user role and in that role select the Auth object and mention the plant and cube and query name.
6.generaet the roles.
then execute using that user but it can executing for all plants but i need to restrict for single.
Please treat it as urgent and give me if any missing steps...
thanque anil...
Reagrds
Jagadeesh.m
Maybe you are looking for
-
16:9 sows wrong on a 4:3 TV - just like iDVD
I am aware of the problem with FCP 16:9 movies in iDVD and the workaround for that, but is that true for SP4 also? My SP4 project is 16:9 set up in General prefs with pan-scan & letterbox, and the Encoding prefs set to 16:9. The imported video has be
-
Viewing mac mini remotely on PC laptop
I've got my mac mini connected to my tv and using it as a media centre. I'm currently sorting out my musi library which is taking ages. Rather than hog the tv screen, I'd like to remotely connect to the mac mini with a pc and carry out the sorting fr
-
I have a data insert from that is solely used to insert data in a database. I am trying to figure out a way to customize it such that a few file get auto filled. I use the form to insert data in a table called maintable. 8 of the 10 field of this mai
-
PSA Deletion variant in Process chain
When I add more than one PSA tables in one process step of Process chain would the deletion happen sequentially or parallelly? In other words, if I have some 20 PSA tables to be deleted, can I put all of them in one step or should I put them in diffe
-
Sony - HDR-XR350V - HD: MPEG4 AVC/H.264; SD: MPEG2
Considering a Sony - HDR-XR350V - HD: MPEG4 AVC/H.264; SD: MPEG2 Please help - I have been using search and spent about 45 min with a Sony sales person on the phone today, but would love to hear from someone using this camera or an expert who can int