Uploaded image for project: 'Pentaho Metadata'
  1. Pentaho Metadata
  2. PMD-370

As a DBA, I want to define a global row level security constraint on a model that includes role information

    Details

    • Type: New Feature
    • Status: Closed
    • Severity: High
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.0.GA
    • Component/s: SQL Generator
    • Labels:
      None
    • Notice:
      When an issue is open, the "Fix Version/s" field conveys a target, not necessarily a commitment. When an issue is closed, the "Fix Version/s" field conveys the version that the issue was fixed in.

      Description

      Use Case:
      As a DBA, I don't have any existing mechanism such as security labeling in my database for enforcing RLS. I want the ability to specify rules in my Metadata model such that different users/roles can access a common model, but the data is actually filtered dynamically according to who the person is or what their role is. For example, I have a data warehouse containing all information regarding a patients heath and treatment history. I want users with the role of Doctor to see all information related to a patient's history. I also have cancer researchers who need formal approval to gain access to patient history and only specific to their area of research. I want the metadata layer to handle the filtering such that they only see patient history records for treatments of cancer related incidents.

      Design Notes:
      Row Level Security Needs to be defined/managed at the business model level
      The 'Data Security' property should be a default property for any Business Model node in a Domain file
      Need to ensure clear separation engine component and UI component

      Potential Gotchas:

      • Performance with long list of constraints

      Example definition:
      OR(
      AND(IN("RoleCancerResearcher";ROLES());
      [Disease]="Cancer";
      IN("Admin"; ROLES())
      )

      Conditions of Satisfaction:

      • Create the Test plan framework with details on this specific feature
      • Testing details should creating a few different security filters
      • simple single column/value filter,
      • more complex multi-column filter
      • users belonging to multiple roles
      • Validate that logging in with different user|role combinations get the correct data filter applied

        Attachments

          Activity

            People

            • Assignee:
              jtcornelius Jake Cornelius (Inactive)
              Reporter:
              jtcornelius Jake Cornelius (Inactive)
            • Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 39h
                39h
                Remaining:
                Time Spent - 30h Remaining Estimate - 9h
                9h
                Logged:
                Time Spent - 30h Remaining Estimate - 9h
                30h