May 5, 2005 at 2:23 pm
We have a business requirement to secure data based on a user's role. The use case is as follows:
Joe Salesman is a salesman in the West region. There are 3 regions in our company, and all customers belong to one region. Joe logs into the application, and loads a screen that performs a "select all customers" query. Because Joe is in the west region, we want his query to only return "all customers in the west region."
There are two ways we can apply this logic.
A) ask the DA layer to perform the query "select * from customers", and have the business layer apply the data security logic. The business layer would spin through all the customers returned, and remove the customers from the result set that do not meet the security criteria.
B) Perform the security at the DA layer. When the business layer asks the DA layer "select * from customers", the DA layer appends to the query "where region = 'WEST'" based on the security model. The DA layer will only return the subset of customers.
(A) is much simpler to implement, but comes with cost of returning data the user will never use. We obviously like (B), but we see it comes with a great deal of complexity. Our DA layer now must be able to parse queries (SQL, xpath, or whichever the query syntax is used), and append additional clauses to the query.
Our questions are:
1) are there products available that provide functionality to parse/manipulate data queries?
2) are there products available that provide data security (parse data queries & manage the data constraints)
3) does anyone have any thoughts on this issue in general?
May 5, 2005 at 5:45 pm
Create a table with users and their associated regions (if you don't already have one), then create a view that joins this table to the table you would normally use on user id, adding the region filter in the where clause. Have the DA layer select from the view. Instant security filtering.
May 6, 2005 at 7:06 am
I definitly agree with David, using a view would solve your problem in a fast and very simple way.
//Hanslindgren
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply