Thursday, November 15, 2012

ADF Row Level Security


ADF Row level security restricts some of rows/data from showing to certain users with out using any pl/sql functions.
In this post,we will implement Row level security based on the user logged in. If the user role is AppManager, some of the rows in the table are displayed, for other roles they are not.

Data Model:
Order and OrderItem are two tables which share a master child relationship.
Order table contains selling price of an item where as the OrderItem table have information about the several price elements that are associated with the item.




In the OrderItem table, there are multiple price elements, which include the Selling Price, Adjustments, Discounts offered along with the original cost and the margin of the item sold. In the Demo, we will be displaying the COST and MARGIN records of the lines table only to the user who is associated to a AppManager Role.










ADF BC:
Created  Entity Objects and View Objects on both the tables viz., . Created a View link between the two VOs and included in the Application Module (SecureAM)




Authentication of Application:
Configured Security for the Application by enabling the Authentication and Authorization.  Created two users manager & supplier along with the two roles AppManager and AppSupplier.  Assigned AppManager Role to manager and AppSupplier role to supplier.





















Created a page EoSecured.jspx with master form and detail table.Granted view rights to both the roles in jazn-data.xml.



Now from the screenshots it can be observed that same data is displayed for both the users. But the required functionality is that the AppManager should be able to see the records of price element type COST and MARGIN. Whereas, other roles shouldn’t be able to see these records. In other words, row level security needs to be implemented to achieve this functionality.













Secure Access to the entire EO:
Enable security on the OrderItemEO. For this demo, we have enabled the security on “read” operation for the OrderItemEO.








 Select the EO and on the Structure Pane, right click on the EO and select Edit Authorization.  Grant Privileges to both the roles to view the data














Configure adf-config.xml for Row Level Security:
Configure the adf-config file for row level security. Add a dataSecurityProviderClass to this file to handle all the security configured Entity Objects. This class should extend AbstractDataSecurityProviderImpl.java.


AbstractDataSecurityProvider in turn implements the interface DataSecurityProvider which has two methods “checkPrivilege” and “getPrivilegeFilterWhereClause”.


Method checkPrivelege Method  verifies the row instance privileges  while updating or deleting a row. Method  “getPrivilegeFilterWhereClause” gets the where clause for read restriction.In the data security provider, implement the row level security.























After this setup if the user without any manager role logs in to the application, a dynamic where clause will be built around the sql to retrieve the data and it doesn’t fetch the COST or MARGIN records.

Following are the screenshot of the testcases after implementing the row-level security at the middle tier:




5 comments:

  1. Hi,

    ELEMENT_TYPE NOT IN(C1,C2);
    can it be used in viewCriteria clause? This sounds like a No.
    OR Can it be added as ViewObject where clause?

    --
    Harsha

    ReplyDelete
    Replies
    1. Element_type not in (c1,c2) will be applied as a where clause to query of View object. We can't use ViewCriteria here.

      Delete
  2. Hi Sai,
    I am using jDeveloper 12.2.1 and tried exactly what you said. But its not working for me. There is no error either. I added the class name in adf-config.xml. But I also tried tweaking it and gave it a wrong class name just to test it. It still gives me no error. Now I feel that the jaasSecurity is not picking up the class I am providing as "dataSecurityProviderClass". Any clue?

    ReplyDelete