Using Shiro we have a great security framework embedded in our enterprise application running on GF. You define users, roles, permissions and we can control at any fine-grain level if a user can access the application, a certain page or even click a specific button.
Is there a recipe or pattern, that allows on top of that, to restrict a user from seeing certain data ?
Sample: You have a customer table for 3 factories (part of one company). An admin user can see all customer records, but the user at the local factory must not see any customer data of other factories (for whatever reason).
Te security feature should be part of the role definition.
Thanks for any input and ideas
Add one or more security tables to your application that contain UserID and a foreign key to the Primary Key of the table containing the resource to be securitized.
Create records in the new table for each User/Resource combination that you want to grant access.
Then, when the resource is requested from the database, just join the security table to the resource table using the Resource keys, and filter on the UserID of the security table for the user that is currently logged in. This will trim the output, removing any records for which the user does not have access.
It is relatively straightforward to create forms that allow you to set up the new records in the security table granting users access to resources.
NOTE: In the specific case that you mentioned, you just need a field in the User database that holds the value of the Primary Key in the customer database for which the user has access.
Related
As a part of database security I have different access for every user(same as schema in Oracle). Now I want to add these users as Oracle Application Express(Apex) users.
When I try to create new users, APEX does not provide me the ability to have database users as APEX users itself.
Essentially I have three users - STUDENT,TEACHER AND UNIVERSITY.
UNIVERSITY has two table - STUDENT_INFO and TEACHER_INFO
STUDENT DB User is not allowed to view info of TEACHER_INFO and similarly TEACHER DB User is not allowed to view info of STUDENT_INFO.
I wanted to show this information through APEX rather than sqlplus. hence I need STUDENT User to login into the APEX and try to access UNIVERSITY.TEACHER_INFO and UNIVERSITY.STUDENT_INFO to show the difference. How can I add these users as APEX Users if I already have admin privileges to APEX.
First of, APEX users are not database users. Apex users are pseudo users that have schema grants by the Apex administration area.
I am assuming here that you are not trying to create an authentication scheme in Apex, totally different subject.
If you create a workspace in Apex that has access to all 3 schemas (which is no problem). You create a single admin (again pseudo apex user) with full control.
That admin can create other users inside the adminstration->users interface. There he can grant access to all, none or subset of the schemas. Define them as application users, developers (which you want, so they can log into apex) or admins (do not want)
I took this from the internet. Notice the accessible schemas field., There you define it.
As I understand, you want to get access to tables in SQL Workshop?
First you need to know, that oracle database users and oracle APEX users are different things. After creating APEX users you need to go to Administration and find there menu for managing workspaces. I have no APEX now besides account at apex.oracle.com (administration functions there restricted), and don't remember exact names of menus. You need to give that users access to workspace (if necessary), and after that define, which database SCHEMAs this workspace can use (it is also in workspace management section). It can use one SCHEMA by default and other SCHEMAs can be added later. After adding SHEMAs UNIVERSITY and STUDENT you will get access to their objects in SQL Workshop.
Link to documentation: https://docs.oracle.com/cd/B28359_01/appdev.111/b32258/adm_wrkspc.htm#BABDEBHA
I am not really a database guy. I had to use a localdb for an application that I created using ASP.NET MVC 5. Now, I understand that the type of database can easily be changed by altering the connection string.
What I want to do is for me to be able to select the users (preferably based on their Windows credentials) that can read from the database.
I am using a localdb v11.0. My schema looks like this:
File table:
Id [int]
content [varbinary(max)]
Email [nvarchar]
Access [nvarchar(10)]
How can I do this? Typically, a user will directly try to get the file content from the content column.
Also, is there a better way to store files in databases?
If you're wanting to restrict columns, you've got a good use case for creating a view. Grant select permissions on the view and don't give permission to the underlying table.
As far as storing files in the server, Microsoft has a paper called To BLOB or Not To BLOB on that.
Here's their conclusion:
-if your pictures or document are typically below 256K in size, storing them in a database VARBINARY column is more efficient
-if your pictures or document are typically over 1 MB in size, storing them in the filesystem is more efficient if you use the FILESTREAM attribute you can maintain
-in between those two, it can be a toss up
If you store the binary in the database, look at moving the file to it's own table if you're not accessing it with every call. If you're using a view, you can get columns from both tables.
If you're using filegroups take a look at files and filegroup architecture.
It would be better to handle this at the application level rather than trying to pass-through credentials of the user to the database to align with database-level access controls.
Basically all you need to do is enable Windows auth for your application. Then, your users will either automatically be logged on to your application if they are logged in on the domain, or will be required to login before accessing the site. You can then retrieve their username via User.Identity.Name on the actions that serve up these files and use that to select only from files they are allowed access to.
One complication is that you're relying on Email in your table. The value of User.Identity.Name for Windows auth will be in the form of Domain\User. If all the users on your domain have a predictable email address (user#domain.com), then you can use this value to construct the email address. Otherwise, you'll need to dig into AD to get the email address for the user.
Here we are designing low-level business process for storing employees' details. (Another team deals with the higher level design). What we currently agree upon is this:
We store employee's username, name, phone number, email, and the [plain-text] default password -among others- in an RDBMS (MySQL or SQL Server).
This RDBMS ("DB"), the ssot of employee information, is exported to an LDAP system (OpenLDAP or Active Directory) which in turn becomes the primary authentication machine. The user's password is stored in the LDAP alone.
A 'daemon' will be built to continually check the integrity between the two. It will check, say, every 2pm and report any anomaly found.
First question: does the above design reflect the best practice?
And what we currently seek is a design regarding data entry of a new employee (or editing an existing employee's information). One enters sufficient employee information through an interface and when he/she clicks the "Submit" button:
Option 1: a web service is invoked which will do two things: updating the DB entry and updating LDAP respective entry. Any error in either process will cancel the whole update operation.
Option 2: a web service will update the entry in DB. This will then trigger a procedure that will export the updated record to the respective LDAP entry.
Option 3: a web service will update the entry in DB. A batch process continually checks the integrity between DB and LDAP every hour, and if there's difference between both, it will update the LDAP with the DB as the source. In this option, one will get the message "Your updated information will take effect in 1 hour."
Second question: what's the best option? Are there any other common options we should consider? And what is the best -or commonest- practice?
I would keep users in LDAP, as that's what it's designed for, and is good at it. Users can authenticate from many clients over LDAP.
I would use a database like Postgres, which has some LDAP integration.
a) Users can authenticate using LDAP
b) It has an LDAP foreign data wrapper, which lets you query LDAP inside the database.
c) There is an already-built LDAP to Postgres sync tool:
https://github.com/larskanis/pg-ldap-sync
Do not ever store plain text passwords! If you have to store passwords in the database, store the salted and hashed values.
i googled it and find nothing. Short story, i created a user and granted to a table in my SyBase. but when i try
select * from table1
it didn't work. Error show Permission denied: you don't have permission to select from "table1" and i try add dbname before table name like this and it works :
select * from dbname.table1
i suspect that user default database is something else so i want to set dbname to his default database. Anyone know how to do this?
This has nothing to do with database names (or login policies). Given your comment that "dbname" is actually the user who owns the table, here's what's happening.
When you specify a table name without an owner, the server has to figure out which table you mean. It first looks for a table that you own with that name. If it doesn't find one, it looks for tables owned by any groups that you are a member of. I suspect that one of these groups has a table named "table1" that you do not have permission to select from.
When you specify a table name with an owner, the server knows exactly which table to use. Since you do have permission to select from that table, you get the results you want.
IQ doesn't have default databases/schemas. Instead it uses login policies. Each database has a login policy assigned to it, which can be altered. You can also create custom login policies.
When you create a user account with out specifying a login policy, it automatically gets the root login policy.
For more information, check the following SAP Sybase IQ docs:
Intro to IQ: Managing Users and Groups
System Admin Guide V1: Managing User IDs and Permissions
Using a view or procedure is a useful method. That said, to establish a "default" schema in (IQ 15.x) one would use groups. Essentially, one grants group to the schema owner and makes the individual login accounts (or other groups) members of that group. Note that this only gives the user access to the schema--that is, it eliminates the need to preface the object with the schema/owner name (unless there are object name conflicts only resolvable with explicit schema.object naming). This does not include a grant of permissions. None of the implicit table-owner related privileges will inherit. However, as the schema/owner is now also a group, permissions could be granted at that level.
See: http://infocenter.sybase.com/help/topic/com.sybase.infocenter.dc00170.1540/doc/html/san1288042708174.html (Managing User ID's and permissions). Be warned: this material generally requires some close reading and experimentation before it becomes useful.
As I understand it, this method is complementary to (functionally replaced by) the new role-based model in IQ 16. However, as I am still feeling my through IQ 16, there is probably a great deal more to be said, and I am not ready to comment just yet.
My team has a service deployed internally, and part of this service is a list of client accounts stored in a sql table. SSRS is hosted on another server and we have integration jobs which [will eventually] pull these client accounts (along with additional info) from our 3 production environments to this SSRS database.
Also on this SSRS database, I’m creating a new table that will be a mapping of domain accounts and client accounts. I need this table so I can filter my report based on which client accounts the logged on user is allowed to see.
Pretty simple so far.
The next requirement of this is that I need to restrict access to the report itself. I understand I could normally use a security group to do this, but that would result in two separate locations to manage permissions for one resource and this is what I want to avoid.
The solution I’m looking into is to create a security extension to validate the logged in user against the database, allowing them access to the folder/report if they exist in the table. Once in, I can then use that same table again to filter their results.
What I’m not sure of is 1) if this is the best solution and 2) can I use a security extension for just MY portion of the site. There are many other users and reports on this site that I don’t deal with and don’t want to conflict with those.
Could you fill the DB table automatically from AD? Then you can use the standard windows security, but still only do the administration in Active Directory.
link text
You could set up an internal report parameter, called something like UserID, and set its default value to be the non-queried expression =User!UserID . (This user ID can be selected from the list of globals in the Edit Expression dialog.)
You could then add a cartesian/cross join to your users table in your query, with a selection condition based on your internal report parameter - eg. ...and UserTable.ID = #UserID . This would ensure that no records were returned if an unauthorised user was running the report.
Note that the User!UserID field will only return the user for interactively-run reports - in scheduled reports, this will be the account for the scheduling service.
Can't you restrict access to the report by using a security group (either in it's own folder or report level permissions). Use windows authentication in your datasource connection and filter you report retrieving your username using the sql function ORIGINAL_LOGIN?