My idea is to create the possibility to authorize a role colum based from the Software Factory and I'll explain why.
For example there is al role to add and manage the employee data including sensitive data such as citizen service number (BSN). We also cretaed a role EMPLOYEE_read assigned to all employees as face book function in the system. In the GUI columns like BSN and partner data is hidden but a role will always have "No rights" or "Full read rights" on a table. The disadvantage is that users could read the table in its entirety from the SSMS.
The SF knows the column rights of a role (same as the GUI) so when the GRANT select on table will be expanded with the columns the database rights are always the same as the GUI rights.
Hi Dennis,
When using the Thinkwise Windows GUI in a two-tier architecture, the user interface requires access to all columns in the database in order to, for example, execute the business logic.
In a three-tier architecture however, where the Windows or Universal GUI accesses the database through the Indicium service tier, only the Indicium service account needs database access, so there is no need to set column permissions on the database anymore. In addition, Indicium will not only enforce column authorization (starting with version 2021.1, coming next month) but will provides row-level access control using authorization prefilters.
(Column authorization requires the Indicium Universal variant, we are working on making the Windows GUI compatible with it.)