Concepts Guide
This chapter discusses the security features of Liquid Data. It covers the following topics:
Integrating enterprise data with Liquid Data does not mean having to compromise the security of sensitive information. Because different data has different security requirements, the ability to apply access control policies to data items is essential. Not all users who need access to general customer information, for example, should have access to sensitive information such as credit card numbers.
Like other components of the WebLogic Platform, Liquid Data supports role-based security authorization. Authorization involves granting a user (either individually or as a member of a group or security role) permission to access resources provided by a Liquid Data deployment.
The WebLogic Platform provides the security framework that handles authorization based upon information in the context of the user request. By default, Liquid Data uses the WebLogic Authorization provider for authorization. If desired, other modules, including third-party authorization modules, can be used as well.
Security policies are enforced no matter how the client attempts to access a resource, from the Mediator API, the Liquid Data Control API, JDBC, or a web service.
Liquid Data enables you to secure resources at a range of granularity levels, from the application level to the level of individual data elements.
Specifically, securable resources in Liquid Data include:
If a given user does not meet the security condition defined for an individual element, the element is redacted from the final result; that is, the customer information is provided with the credit card item missing. Element-level security applies across data service functions.
You can specify security policies that control access to the Liquid Data Console itself. The policies determine who can access particular pages in the console by their functional category, whether administration-based (for configuration and monitoring pages) or informational (for data service metadata pages).
A security policy determines whether a user can access a Liquid Data resource. With the WebLogic Authorization module, you can create policies based upon user identity, the user's group or role affiliation, time of day, development mode of the server, or any combination of these. Access policies can be used individually or together so that you can apply security in the manner that best matches your needs.
You can create a data-driven policy in the Liquid Data Console as an XQuery function. The function can perform any evaluation and processing steps desired, given the identity of the user making the request and the value of the requested data. To permit access, the function simply returns true or false to block it.