|
|
This chapter discusses AquaLogic Data Services Platform security features. It covers the following topics:
Integrating enterprise data with AquaLogic Data Services Platform does not require any compromise in the security of sensitive information. Because different data has different security requirements, the ability to apply access control policies to data items is essential. Not all users who need access to general customer information, for example, should have access to sensitive information such as credit card numbers.
Like other components of the WebLogic Platform, AquaLogic Data Services Platform supports role-based security authorization. Authorization involves granting a user (either individually or as a member of a group or security role) permission to access resources provided by a AquaLogic Data Services Platform deployment.
The WebLogic Platform provides the security framework that handles authorization based upon information in the context of the user request. By default, AquaLogic Data Services Platform uses the WebLogic Authorization provider for authorization. If desired, other modules, including third-party authorization modules, can be used as well.
Security policies are enforced no matter how the client attempts to access a resource, from the Mediator API, the Data Service control API, JDBC, or a web service.
AquaLogic Data Services Platform enables you to secure resources at a range of granularity levels, from the application level to the level of individual data elements.
Specifically, secureable resources in AquaLogic Data Services Platform include:
If a given user does not meet the security condition defined for an individual element, the element is redacted from the final result; that is, the customer information is provided with the credit card item missing. Element-level security applies across data service functions.
You can specify security policies that control access to the AquaLogic Data Services Console itself. The policies determine who can access particular pages in the console by their functional category, whether administration-based (for configuration and monitoring pages) or informational (for data service metadata pages).
A security policy determines whether a user can access a AquaLogic Data Services Platform resource. With the WebLogic Authorization module, you can create policies based upon the user's identity, the user's group or role affiliation, time of day, development mode of the server, or any combination of these. Access policies can be used individually or together so that you can apply security in the manner that best matches your needs.
You can create a data-driven policy in the AquaLogic Data Services Platform Console as an XQuery function. The function can perform any evaluation and processing steps desired, given the identity of the user making the request and the value of the requested data. To permit access, the function simply returns true or false to block it.
|