ADF Row level security restricts some of rows/data from showing to certain users with out using any pl/sql functions.
In this post,we will implement Row level security based on the user logged in. If the user role is AppManager, some of the rows in the table are displayed, for other roles they are not.
Data Model:
Order and OrderItem are two tables which share a master child relationship.
Order table contains selling price of an item where as the OrderItem table have information about the several price elements that are associated with the item.
In the OrderItem table, there are multiple price elements, which include the Selling Price, Adjustments, Discounts offered along with the original cost and the margin of the item sold. In the Demo, we will be displaying the COST and MARGIN records of the lines table only to the user who is associated to a AppManager Role.
ADF BC:
Created Entity Objects and View Objects on both the tables viz., . Created a View link between the two VOs and included in the Application Module (SecureAM)
Authentication of Application:
Configured Security for the Application by enabling the Authentication and Authorization. Created two users manager & supplier along with the two roles AppManager and AppSupplier. Assigned AppManager Role to manager and AppSupplier role to supplier.
Created a page EoSecured.jspx with master form and detail table.Granted view rights to both the roles in jazn-data.xml.
Now from the screenshots it can be observed that same data is displayed for both the users. But the required functionality is that the AppManager should be able to see the records of price element type COST and MARGIN. Whereas, other roles shouldn’t be able to see these records. In other words, row level security needs to be implemented to achieve this functionality.
Secure Access to the entire EO:
Enable security on the OrderItemEO. For this demo, we have enabled the security on “read” operation for the OrderItemEO.
Select the EO and on the Structure Pane, right click on the EO and select Edit Authorization. Grant Privileges to both the roles to view the data
Configure adf-config.xml for Row Level Security:
Configure the adf-config file for row level security. Add a dataSecurityProviderClass to this file to handle all the security configured Entity Objects. This class should extend AbstractDataSecurityProviderImpl.java.
AbstractDataSecurityProvider in turn implements the interface DataSecurityProvider which has two methods “checkPrivilege” and “getPrivilegeFilterWhereClause”.
Method checkPrivelege Method verifies the row instance privileges while updating or deleting a row. Method “getPrivilegeFilterWhereClause” gets the where clause for read restriction.In the data security provider, implement the row level security.
After this setup if the user without any manager role logs in to the application, a dynamic where clause will be built around the sql to retrieve the data and it doesn’t fetch the COST or MARGIN records.
Following are the screenshot of the testcases after implementing the row-level security at the middle tier: