I have a table in my snowflake account with row access policy enabled to restrict access based on let's say 'region'.
Now , if i want to share this table to a reader account , how can I achieve that ?
I tried creating a secure view following the doc - https://docs.snowflake.com/en/user-guide/data-sharing-secure-views.html#sample-setup-and-tasks
However, when I select rows on the secure view via reader account, I do not see any rows though I added an entry for sharing_access.
When I tried the same with a table without row access policy , it works fine.
So was wondering if there is any limitation/restriction of using row access policy with secure shares ?
If you are asking whether you can share a secure view that references a table that has row access policies, the answer is yes. However, the row access policy must include an INVOKER_SHARE type of reference in order for the consumer to see any data. If your current row access policy only includes provider roles, then the consumer will not see any data.
Here is a brief reference in the documentation:
https://docs.snowflake.com/en/user-guide/security-row-intro.html#data-sharing
Data sharing consumers cannot apply a row access policy to a shared table or view. As a workaround, import the shared table or view and then apply the row access policy to a local view that queries the shared table or view.
Related
i'm new in oracle apex. I want to make a custom authorization based on the user role (manager or employee). I have make an UI for the manager to custom the access role based on the user role when the user click on the checkbox and when click save button (not working for now), the user must be able to access the form based on their access. Anyone know how to do that? Please help. Thank you
The custom access form
This is a very broad question, hard to answer in a single answer. I can give you some form of direction but not a detailed answer:
This is a form of a roles/responsibilities implementation. A user gets a role (employee) but in the application every functionality is tied to a responsibility (eg time sheet, user profile). This is one way to implement this:
create a user/role mapping table. A user has a row for every role he has, eg User "John" has role "Employee"
create a role/responsibility mapping table. One row for every responsibility that is granted to a role. This table will be populated from the screen that you posted the screenshot for
create one authorization scheme in the application for every responsibility you create (one for time sheet, one for user profile, etc). In this authorization scheme you check if there is a row for the current user joined to the user/role mapping table and to the role/responsibility mapping table
I'm developing a microservice (restful) project that uses kaycloak as IAM. I could create realm, client, users,... for authenticating but my concern is should I manage users only on keycloak or creating my own user table in my microservice?
is should I manage users only on keycloak or creating my own user
table in my micro-service?
First you need to check what can one do (or not) with Keycloak regarding user management and compared with your current (and possible future) requirements. If it does not completely fulfill your requirements then you can either extend Keycloak, adapt your requirements, or (probably the most straightforward solution) have your own user table in your micro-service.
You might want also to create your own user table for performance reasons. Depending on how slow it is to access Keycloak in your setup you might consider using that user table as caching mechanism for quick access of user-related information.
The problem of having that user table is that depending on the user information stored on Keycloak and on the user table you might have to keep them in sync. Moreover, if that information exists on the user table and not on Keycloak, and you need that information on the tokens, you will have to think about how will you handle such situations.
Personally, I would try to avoid creating the user table unless it is really necessary. So a complete answer to your question will most-like be highly dependent of your own needs.
We need to implement row-level security policy for a PostgreSQL View. Is there any option to do this?
Thank You
CREATE VIEW
view_own_log
AS SELECT
these,
fields,
only
FROM
restricted_log_table
WHERE
username=user;
user is the logged on user.
You can create more sophisticated WHERE clauses if needed. Have the table access limited to minimum and use GRANT to give access to the view.
I'm working with Shopware.
I've added a new attribute "proxy" to the s_core_auth table for each user in order to show the ability to get access to the Customer Module in the backend, so that if a user is not selected as "proxy" he/she won't be able to make changes in that module.
I need help to understand what I need to write in my plugin's code (maybe having only a Subscriber file.)
I'll be very grateful!
Adding a custom column to the s_core_auth table is not a good idea. What you're trying to achieve can be done with user groups and group rights. From the Shopware Documentation:
With User administration you are able to create new users in the backend and control access rights to areas, modules and plugins in accordance with certain group policies that you define per ACL (Access Control List). Within the ACL you have the possibility to control precisely which user is able to perform which activity. Thus, it is possible to assign certain reader rights to an administration group without granting them authorization to edit or delete.
You can find instructions for User administration inside the Documentation.
I am storing images of one user(owner) in google cloud storage bucket. I wanted to grant read permission for this image to a group of users(contacts of owner).I am planning to use Access Control List for this purpose; e.g., Owner will have full permission to his bucket and the contacts will have read permission on the images. There are chances that owner will have a very huge number of contacts, say 1 million.
So,
will there be any performance issue, if ACL contains a huge number of users?
Will this be the right approach for access control? Or should I consider signed URL?
Regards,Remya
This approach is not going to work for you. There are some significant limitations and downsides to trying to serve content like this. First and foremost, there is a limit of 100 ACL entries on a given object. You could get around this by granting permission to a group for which every user was a member, but even so, it still means that viewing the images will require that every user be logged in to their Google account in addition to however they authenticate for your site.
The canonical way to accomplish this would be to keep all images private and owned by your site's own account. When a user loads a page, verify however you like that they have appropriate authorization to view the images, and if so, generate signed URLs for the images. This allows you to use any authorization scheme without limitation while serving images directly from GCS.