Dynamic Data Service provides table level, row level, and column level security. All the end points are protected with basic authentication and role based authorization.
There are three security groups that provide role based authorization.
There are three Roles and three Groups.
Roles:
AdminRole - Users with this role have access to all the functions of the DDS app. They can also setup the security permissions for other users.
OperatorRole - Users with this role have the ability to read, write and modify content in the schemas and tables. However they will not have access to the admin functions and cannot setup security permissions.
MonitorRole - Users with this role can only read the data from schemas and tables. They also will not have access to security setup functions.
Groups:
DdsAdminGroup - Users that belong to this group can perform all operations
DdsOperatorGroup - Users that belong to this group can perform all operations except security setup
DdsMonitorGroup - Users that belong to this group can only perform read only operations
The following table lists all the functions which can be performed by the roles and groups mentioned above.
Table 4-1 Functions Performed by Roles and Groups
Role Name | Admin Role | Operator Role | Monitor Role |
---|---|---|---|
Group Name | DdsAdminGroup | DdsOperatorGroup | DdsMonitorGroup |
Create Access Level |
Yes |
No |
No |
Delete Access Level |
Yes |
No |
No |
Create Security Group |
Yes |
No |
No |
Delete Security Group |
Yes |
No |
No |
Create Table Level Security |
Yes |
No |
No |
Delete Table Level Security |
Yes |
No |
No |
View Table Definition |
Yes |
Yes |
Yes |
Create Queries |
Yes |
Yes |
Yes |
Run Queries |
Yes |
Yes |
Yes |
View Table Data |
Yes |
Yes |
Yes |
Modify Table data |
Yes |
Yes |
No |
Delete Table Data |
Yes |
Yes |
No |
Bulk Update Table Data |
Yes |
Yes |
No |
Access Level defines security permissions.
Here are the permissions that can be associated with an access level.
DataReadPermission
DataCreatePermission
DataUpdatePermission
DataDeletePermission
RowAccessPermission
ColumnAccessPermission
DataSecuritySetupPermission
The following access levels are created when default security is setup using the end point (/resources/admin/security/setup/{schemaName}).
DdsAdminAccessLevel - Provides all permissions
DdsOperatorAccessLevel - Provides all permissions except DataSecuritySetupPermission
DdsMonitorAccessLevel - Provides DataReadPermission, RowAccessPermission and ColumnAccessPermission
Table level security defines who can access a table with set of allowed permissions. A table cannot be accessed if table level security is not setup.
Table level security is associated with the following information.
Schema Name
Table Name
Security Group - Provides who can access the table
Access Level - Provides permissions
Table level securities are set up for all tables when default security is setup using the end point. Every table is setup to be accessed by users in all security groups with default permissions.
Example
Table - DdsAdminGroup, DdsAdminAccessLevel
Table - DdsOperatorGroup, DdsOperatorAccessLevel
Table - DdsMonitorGroup, DdsMonitorAccessLevel
Column level security defines who can access a column as well as permission to access the column. By default, Dynamic Data Service allows access to a column if the user has access to the table.
Column level security is defined using the following information.
Column Name
Column Permission Type - Valid values are ALLOW, DONT_ALLOW, MASK
Table Level Security
Row level security defines who can access row(s) in a table. Row level security can be enabled if the table has user and group columns.
Row level security is defined using the following information.
EnableRowAccess
UserColumnName
GroupColumnName
TableLevelSecurity
Follow the steps to setup security. Users will not be able access any data without the security setup. Only users that belong to the DdsAdminGroup can set up security.
Run the end point (/resources/admin/security/config) to create security configuration for the schema.
{ "schemaName":"schema", "enableSecurity":"true", "tableLevelSecurityType":"WHITELIST", "columnLevelSecurityType":"BLACKLIST" }
Run default security setup end point (/resources/admin/security/setup/{schemaName}) to set up default security for all tables.
If the default security setup is not sufficient, use Dynamic Data Service UI to setup the access levels, security groups, and table level securities.
Dynamic Data Service finds data sources with the JNDI name that starts with "jdbc" by default. The following system option can be used to provide a different JNDI Name pattern.
dataSourcePattern
The system option can be setup using the end point (/resources/system-setting/system-options).