Skip to main content
Closed

Column based authorization

Related products:Software Factory
K.Bakkenes
Arjan Sollie
R
Harm Horstman
Robbert van Tongeren
+22
  • K.Bakkenes
    K.Bakkenes
  • Arjan Sollie
    Arjan Sollie
  • R
    René
  • Harm Horstman
    Harm Horstman
  • Robbert van Tongeren
    Robbert van Tongeren
  • Mark Jongeling
    Mark Jongeling
  • John Lunenburg
    John Lunenburg
  • Geurt
    Geurt
  • Freddy
    Freddy
  • F
    Frank Junger
  • P
    Peter Jan Thierry
  • mperrott
    mperrott
  • S
    Suleyman
  • J
    Jefferson Delacruz
  • R
    Rick
  • S
    Shawn Adrian Diño
  • W
    WarrenM
  • E
    Emmie Baris
  • Christian Schmidtchen
    Christian Schmidtchen
  • B
    Bart Huizer
  • Marius Korff
    Marius Korff
  • rbiram
    rbiram
  • Gabriela Andes
    Gabriela Andes
  • X
    Xavier de Bondt
  • S
    srpanayas
  • J
    jp vacunawa
  • J
    JC Bulaong
Dennis van Leeuwen
Hero

My idea is to create the possibility to authorize a role colum based from the Software Factory and I'll explain why.  

 

For example there is al role to add and manage the employee data including sensitive data such as citizen service number (BSN). We also cretaed a role EMPLOYEE_read assigned to all employees as face book function in the system. In the GUI columns like BSN and partner data is hidden but a role will always have "No rights" or "Full read rights" on a table. The disadvantage is that users could read the table in its entirety from the SSMS. 

 

Role "EMPLOYEE_read" shouldn't reach sensitive data from the SSMS

 

Database role is created with select permissions

 

The SF knows the column rights of a role (same as the GUI) so when the GRANT select on table will be expanded with the columns the database rights are always the same as the GUI rights.  
 

Desired situation where a user with the role "EMPLOYEE_read" cann't read the columns BSN and Salary. 

 

Did this topic help you find an answer to your question?

2 replies

Jasper
Superhero
  • JasperSuperhero
  • 678 replies
  • October 28, 2020

Hi Dennis,

When using the Thinkwise Windows GUI in a two-tier architecture, the user interface requires access to all columns in the database in order to, for example, execute the business logic.

In a three-tier architecture however, where the Windows or Universal GUI accesses the database through the Indicium service tier, only the Indicium service account needs database access, so there is no need to set column permissions on the database anymore. In addition, Indicium will not only enforce column authorization (starting with version 2021.1, coming next month) but will provides row-level access control using authorization prefilters.

(Column authorization requires the Indicium Universal variant, we are working on making the Windows GUI compatible with it.)

 

Jasper
Superhero
  • JasperSuperhero
  • 678 replies
  • October 28, 2020
Updated idea status NewClosed

Reply


Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings