From the 2020.2 version of the Thinkwise suite, the way of determining effective role rights has changed. This may have consequences when you use the IAM feature to apply user rights to the database. This text focuses on what may have been changed for you, and how to deal with these changes.
Calculating the effective role rights
To determine what actions a user is allowed to perform, we use effective role rights. Effective role rights are a combination of:
- Meta model settings
- Role rights
Previously the effective role rights were calculated in IAM. However, the meta model settings and role rights are both stored in the SF. So it makes more sense that the effective role rights are already determined in the SF, and pass on to IAM during synchronization. So this is done from the 2020.2 version.
This also offers major advantages for the auditing module that now exists in IAM. After all, it is no longer necessary to calculate in IAM which maximum rights a user had during a certain period. For more information about this topic, see this blog.
Rights on the database
As already said, this new way of determining the effective role rights has consequences for applying user rights on the database. We’re going to demonstrate this using this example:
- Meta model settings: adding is disabled for a table
- Role rights: adding is enabled for your role on the same table
Before the 2020.2 version, this meant that you did not have the rights to add a record to this table, in the GUI. However, when the user rights were applied to the database, adding a record to the very same table on the database was allowed. We consider this inconsistent, and more important, a security risk.
Since the 2020.2 version, it is not only prevented that a record is added in the GUI, but also on the database when using the ‘Apply user rights to database’ task. This can lead to different (more safe) results than before. In this case, we encourage you to re-evaluate your meta model settings and role rights for the table. To help you do this, validations to detect these situations have been added through a hotfix. You have to generate your project first to get the validations.
If data manipulation on the database is allowed, this will usually also be the case in GUI. When this is not the case, you can create a read-only variant for the table.