How can I authorize a role column based? In the Software Factory you assign rights on a table.
In the column rights you can set or the fields are visible in the GUI. This doesn't change the user right to consult the data from the column directly on the database.
The user still can run the query in the SQL database and select for example the colum employee_status. The permission shouldbe denied for executing this action.
Page 1 / 1
Hey Dennis,
In IAM there's a task to Execute user rights on the database. In the screen User groups (Gebruikersgroepen) you can select the task and export the SQL to run on the Database or just run it directly on it. You can select to export or execute everything or only a single user group or single user rights. This way the authorization can be placed on the database too. If you want to export the roles and such, be sure to name a location and give it a name.sql (unlike in my picture)
The script will create the users if they don’t exists including the roles and user groups and places the users in the correct user groups with the correct roles assigned. Now the users can only access what is stated in IAM.
Give it a go
If you were to use Indicium and don’t allow user access or connect to the database server this would have already been taking care off since Indicium will do all the data access for the user.
Hope this helps you further!
Kind regards, Mark Jongeling
Hi Dennis,
The only part I was missing in my previous reply is the part where you can create the role rights onto the database. This can be done by going into IAM and navigating to Project → Project versions → Roles and clicking this task:
You can make a (sub-)selection of roles to roll out to your database. Then with the information from my previous reply, you can create users and user groups and bound the roles to the user groups.
Kind regards, Mark Jongeling
Dennis,
As far as I am aware of assigning rights on a specific column is not a standard SQL server feature. Therefor the role scripts, produced by IAM, does not contain column rights, only table rights. This is one the reasons TW decided to set up Indicium.
On the internet I did find some workarounds for setting the rights for a specific column. I do not know if these are recommended, therefor I will not redirect you towards this.
After some research I can confirm what Arjan said. From the available task in IAM, columns rights will not be granted or revoked. Access is currently given on table level meaning, if an user only may see 1 columns, the whole table will be available for the user through SQL server querying. Of course, in the application the given rights in IAM apply.
Feel free to create a topic in the Ideation section.