IBM DB2 has nice LBAC (label based access control) policy. I am not facing problem when creating or using these policies from within the query browser. However, my requirement is a bit different. Using LBAC, let us say that I have created the required security labels and assigned them to the columns and rows in the database tables. Now, Given the access control for the user, I want to find out if a particular label is accessible to that user.
DB2 will internally figure it out and produce the desired results, however I need some solution which would tell me if a particular column/row is accessible to the user, if I am given the user's access level along with the security labels for each column/row. I need some method which does the following:
Find out the security labels for a column [I can do this]
Find out the access controls allowed to the user [I can do this]
Tell if these security labels are accessible for the user [I do not know how to achieve this]
Consider this example:
My sample component:
/*Create the component*/
CREATE SECURITY LABEL COMPONENT ORG_DIVISIONS
TREE ('ORGANIZATION_ADMIN' ROOT, --The admin will have the complete access
'SALES' UNDER 'ORGANIZATION_ADMIN', --The sales department will have acess to the financial information for each unit
'RESEARCH' UNDER 'ORGANIZATION_ADMIN', --The research division will have access to technical specs and design along with certain financial information
'RSM1' UNDER 'RESEARCH', --The research manager 1 will have access to certain design and technical specs and certain financial information (depending on the project he is undertaking)
'RS_ENGG1' UNDER 'RSM1', --The research engineer 1 will have access to certain technical specs (depending on the project he is undertaking)
'MANUFACTURING' UNDER 'ORGANIZATION_ADMIN', --The manufacturing unit will have access to design along with certain financial information
'MFM1' UNDER 'MANUFACTURING', --The manufacturing division manager 1 will have access to certain designs along with certain financial information (depending on the project he is undertaking)
'MF_ENGG1' UNDER 'MFM1' --The manufacturing division engineer 1 will have access to certain designs (depending on the project he is undertaking)
)
My sample policy for the component:
/*Create the policy*/
CREATE SECURITY POLICY ORGANIZATION_POLICY
COMPONENTS ORG_DIVISIONS
WITH DB2LBACRULES
RESTRICT NOT AUTHORIZED WRITE SECURITY LABEL
My sample set of labels:
/*Create the labels from the policy components*/
CREATE SECURITY LABEL ORGANIZATION_POLICY.ORGANIZATION_ADMIN
COMPONENT ORG_DIVISIONS 'ORGANIZATION_ADMIN'
CREATE SECURITY LABEL ORGANIZATION_POLICY.SALES
COMPONENT ORG_DIVISIONS 'SALES';
CREATE SECURITY LABEL ORGANIZATION_POLICY.RESEARCH
COMPONENT ORG_DIVISIONS 'RESEARCH';
CREATE SECURITY LABEL ORGANIZATION_POLICY.RSM1
COMPONENT ORG_DIVISIONS 'RSM1';
CREATE SECURITY LABEL ORGANIZATION_POLICY.RS_ENGG1
COMPONENT ORG_DIVISIONS 'RS_ENGG1';
CREATE SECURITY LABEL ORGANIZATION_POLICY.MFM1
COMPONENT ORG_DIVISIONS 'MFM1';
CREATE SECURITY LABEL ORGANIZATION_POLICY.MF_ENGG1
COMPONENT ORG_DIVISIONS 'MF_ENGG1';
My sample user:
/*Use the defined policies and grant accesses to the users*/
GRANT SECURITY LABEL ORGANIZATION_POLICY.RSM1
TO USER someone FOR ALL ACCESS;
Now, since I defined a tree component, the user someone will have access to entities which are labeled RSM1 or with its children labels (RS_ENGG1 in this case). DB2 knows this and will present me the relevant results if login as user someone and fire queries. But the question is, how can I (as an admin) know which columns/rows would be accessible to user someone? Can this information be retrieved from some security table or figured out somehow?
Regards,
Salil Joshi
I could not find any solution to this problem. What I ultimately did was to find out the security components of the type 'Tree' and 'Array', list their components, and re-constructing the equivalent tree in Java.
1) Find out the labels granted to the user
SELECT
A.grantee
,B.secpolicyname
,c.seclabelname
FROM
syscat.securitylabelaccess A
,syscat.securitypolicies B
,syscat.securitylabels C
WHERE
A.seclabelid = C.seclabelid
AND A.secpolicyid = B.secpolicyid
AND B.secpolicyid = C.secpolicyid
2) Find out the array and tree component elements:
For trees:
SELECT
D.secpolicyname
,B.elementvalue
,B.parentelementvalue
FROM
syscat.securitylabelcomponents A
,syscat.securitylabelcomponentelements B
,syscat.securitypolicycomponentrules C
,syscat.securitypolicies D
WHERE
A.compid = B.compid
AND A.comptype = 'T'
AND A.compid = C.secpolicyid
AND C.secpolicyid = D.secpolicyid
For arrays (note: I could not find the order in which the elements were inserted in the array, but found that doing a selection (select *) rather than projection (select A.a, B.b, ...) helps here. Any better solutions are welcome):
SELECT *
FROM
syscat.securitylabelcomponents A
,syscat.securitylabelcomponentelements B
,syscat.securitypolicycomponentrules C
,syscat.securitypolicies D
WHERE
A.compid = B.compid
AND A.comptype = 'A'
AND A.compid = C.compid
AND C.secpolicyid = D.secpolicyid
3) Generate the list of labels allowed for the user using the above constructs.
One small problem here is that the component elements and the labels created from them might not have same name, and I could not find any mapping for them. I have posted this problem here for the same.
Related
I need help with querying my business rules in SQL!
I have created couple of business rules in MDS web service to validate my master data and found out that 2 % of my data is not complying with the rules. Now I have created a SQL subscription view to report on the invalid data in PowerBI. In my PowerBI report I need to tell the business user why the data is invalid but I cannot since the subscription view only tells where the data is invalid but not why the data is invalid. So I need to know how I might query my business rules from MDS database in SQL and map it with my PowerBI data model. Is there a way to query the list of business rules from MDS database?
OK, so there are multiple ways to go about this. Here are some solutions, pls choose one that suits your scenario.
1. SQL - List of all Business Rules
The following query will retrieve the list of all Active Business Rules created in MDS.
SELECT *
FROM [MDM].[mdm].[viw_SYSTEM_SCHEMA_BUSINESSRULES]
WHERE Model_Name = 'YourModelName'
AND BusinessRule_StatusName = 'Active'
You can, of course, further filter by Entity_Name, etc.
The important columns in your case are going to be:
[BusinessRule_Name]
[BusinessRule_Description]
[BusinessRule_RuleConditionText]
[BusinessRule_RuleActionText]
Note: The challenge in your scenario, I think, is going to be that the Subscription View of the entity does not have IDs of the exact Business Rules that failed. So I'm not sure how you'll tie these 2 together (failing Rows -> List of Business Rules). Also remember that each row may have more than 1 business rule that failed.
2. using View viw_SYSTEM_USER_VALIDATION
This is a view that has a historical list of all business rules (+row info) that failed. You may use the view in this way:
SELECT
DISTINCT ValidationIssue_ID, Version_ID, VersionName, Model_ID, ModelName, Entity_ID, EntityName, Hierarchy_ID, HierarchyName, Member_ID, MemberCode, MemberType_ID, MemberType, ConditionText, ActionText, BusinessRuleID, BusinessRuleName, PriorityRank, DateCreated, NotificationStatus_ID, NotificationStatus
FROM [MDM].[mdm].[viw_SYSTEM_USER_VALIDATION]
WHERE --CAST(DateCreated as DATE) = CAST(GETDATE() as DATE) AND
ModelName = 'YourModelName'
--AND EntityName IN ('Entity_1','Entity_2') -- Use this to Filter on specific Entities
Here, use the columns Model_ID, Entity_ID and Member_ID/MemberCode to identify the specific model, entity & row that failed.
Columns BusinessRuleName, ConditionText & ActionText will give your users additional info on the Business Rule that failed.
Note:
One issue with using this view is that even though, let's say, your failure condition was resolved the next day by the user, the view will still show that on a certain date, a validation had failed. (via column DateCreated).
Also note that the same failed data row will appear multiple times here if multiple Business Rules on the same row failed validation (there will be different BusinessRuleID/Name, etc). Just something to take note of.
Similarly, the same row may appear multiple times if it has failed again & again at different times. To workaround this, and if your final report can do with that, add a WHERE clause on the DateCreated column so that you only get to see any row that Failed today. The commented out line of code <--CAST(DateCreated as DATE) = CAST(GETDATE() as DATE) AND> does the same. If you can't use that, just make sure the data row are distinct. However, if you do this, remember that if something Failed yesterday (and is still in the Failed status), it may not show up.
My suggestion would be to use a slightly modified version of Solution #2:
Get the list of Failed Rows from your Subscription View (the data row's ValidationStatus is actually still 'Failed'), then JOIN with viw_SYSTEM_USER_VALIDATION making sure that you only select the row with MAX(DateCreated) value (of course for the same data row AND Business Rule).
Best of luck and if you find anything else while solving this issue, do share your learning here with all of us.
Lastly, if you found this useful, pls remember to Mark it as the Answer :)
I want the salesrep to see both theirs and OVERALL TEAMS PERFORMANCE. Is it possible to create a TOGGLE SWITCH : ME/TEAM...when they click on ME - it shows them their revenue and when they click on TEAM - it show overall team revenue. But, they still shouldn't be able to see other salesman revenue...Thanks
Currently, I'm filtering their access to data by their USERNAME using the FULLNAME() function in Tableau. I'm wondering how would the salesrep be able to see the revenue of the TEAM OVERALL which helps them to compare their performance to the team overall
As far as I can tell, with your current setup, you will only be able to display the active sales reps data. This appears to be a requirement for data security. If you want reps to see the overall team data as well, I would create a second data source with aggregated team data, create a view based on this data and place both views side by side on a dashboard.
After that, you could build in the toggle functionality with parameter controls.
Create a parameter. Simple example would be a text input that accepts two values, ME or TEAM. For this example, let's call the parameter Parameter 1.
Set up a conditional calculated field to handle your data security. The condition is based on the parameter. For this example, let's call the calculated field What To Show.
Add a filter, preferably at the data source, for What To Show = True.
The code for What To Show is
if [Parameter 1] = "ME" then [USERNAME] = FULLNAME() END
[USERNAME] of course is whatever your security column is called.
What you are doing here is conditionally applying row-level security based on what parameter your user has selected.
we are currently digging into Amazon Redshift and testing different functionalities.
One of our basic requirements is that we will define different user groups which in turn will be granted access to different views.
One way to go about this would be to implement one view seperately for each user-group. However, since we have a lot of user-groups that share almost the exact same need for information, I'm looking for a way to implement this more dynamically in Redshift.
For instance, let's say I have a user group called users_london and another one called users_berlin. Both will have access to a view called v_employee_master_data which contains the columns employee_name, employee_job_title and employee_city.
Both groups share the same scope of information with one exception - the column employee_city.
In essence, the view should be pre-filtered for a certain value in the column employee_city according to the currently logged-in user-group.
In SQL - something like this:
For the usergroup users_london:
SELECT * FROM v_employee_master_data WHERE employee_city = 'London';
For the usergroup users_berlin:
SELECT * FROM v_employee_master_data WHERE employee_city = 'Berlin';
Now to make the connection back to Amazon Redshift. Does the underlying DB runtime provide an out-of-the-box functionality to somehow catch the currently logged user-group as a form of global variable and alter the SQL-statement according to the value of that variable?
It is possible to do:
get current user
select current_user
find what group it belongs to
select groname from pg_group where current_user_id = any(grolist);
Extract city and capitalize it:
select initcap(substring(groname from 'users_(.*)')) from pg_group where current_user_id = any(grolist);
Now you have your city based on the "user". So just inject it in the view
... WHERE employee_city = initcap(substring(groname from 'users_(.*)') ...
So I have a form I have Vendors fill out when they want to ship to us. It's an excel form that I then import into Access so I can run reports. Sometimes when they send the form back it's in a format in which I have to manually enter the data into our database.
The form looks like this:
The middle section is just for example purposes so it's a rectangle with text in it.
So everything seemed simple enough until I got to the middle section. See in my excel form I have a section for multiple PO's and units. So essentially each shipment can have one to many PO's and Units. Currently I can approach this task with the redundant method of reentering information per PO on the form. But I want to make this simple.
So the task at hand is that I want to have a form field for PO's and Units where I can input multiple lines of information so that when I hit a submit button. It appears in the database on separate lines with the same vendor information.
So if I filled out my form had this in the middle section:
PO | Units
111111 22
222222 33
333333 44
When I hit submit I want it to attach the rest of the forms information to each PO on separate lines so it'd be like:
Vendor | City | State | PO | Units
Nike Memphis TN 111111 22
Nike Memphis TN 222222 33
Nike Memphis TN 333333 44
So how would I go about accomplishing this task?
From your description of the problem and your example of how the data appears to ultimately be stored in Access it looks to me like you are using Access as a spreadsheet and not as a database. This is ok, but you might want to consider normalizing the data to take advantage of the power of databases in general.
For example:
Create a Vendors table whose sole purpose is to keep details about each Vendor you work with. A very basic implementation would have an ID field to uniquely identify each vendor and a Name field for the vendor name.
If Vendors will only ever have a single location you could also store City, State, ZipCode and Email in this same Vendor table, but I suspect having a separate VendorLocation or VendorAddress table would be a better fit long term.
Create a VendorShipment table that tracks the higher level information on your mockup, such as:
ShipmentID (primary key of this table)
VendorID (foreign key back to Vendor table)
Ready Date
Carrier
Estimated Cost
FreightClass
Tracking #
Estimated Transit Time
Finally, create a VendorShipmentDetail table that tracks the information of each shipment, including:
ShipmentDetailID (primary key of this table)
ShipmentID (foreign key back to VendorShipment table)
PO
Units
Any other details that you want to or need to track
Organizing and storing the data in a normalized fashion would ultimately help simplify your data entry \ data management process and potentially make for a better user experience.
For example, rather than having to enter the Vendor Name, Address information, etc. each time you could instead use a combo box control that is tied to the Vendor table. If the Vendor exists in the table you select it from the list and you already have the Address information, no need to re-enter it each time. If the Vendor did not already exist you enter it once (probably on a Vendor screen where you maintain the details for each Vendor) and draw upon the information in the future.
You would then use queries to tie the information back together for reporting purposes (de-normalize the information).
The art of database design can take a while to pick up, but a good starting point might be to check out the Northwind database that Microsoft has maintained over the years. It has some examples you could draw from immediately to get a practical understanding of how to use normalization within Access. You can find more information here: http://office.microsoft.com/en-us/templates/northwind-sales-web-database-TC101114818.aspx
A client has asked if they can prioritise a certain product in their online catalogue so that it appears as the second product rather than the sixth or so. Is this possible?
This is all I can find in the help section, which points to a no answer.
Customizing how sub-catalogs list appears
{tag_cataloguelist,rowLength,targetFrame,notUsed,sortType,hideEmptyMessage,list/table}
rowLength Number of catalogs per
row targetFrame e.g. _blank.
Specify the frame you want the product
to open in resultsPerPage
Number of catalogs you wish to display
before the page paginates
notUsed this field is not currently
used. Leave empty. sortType
- Alphabetical
- Weight (Defaut) hideEmptyMessage if a catalog does not
have any sub-catalogs you will see a
message This catalog has no
sub-catalogs. You can hide it by
setting it to true.
Hopefully I'm just missing a really obvious control in the BC interface somewhere.
So that help documentation you've pulled up is regarding catalogs. If you want the catalogs to appear in a different order, use the "Weight" sortType in your tag_cataloguelist and assign weights to your catalogs when setting them up.
For individual products in the list view, assign a weight to each product under eCommerce > Products in the detailed product settings. You can also assign weights in bulk by downloading the entire product list then reimporting the product database.