oracle.apps.fnd.applcore.dataSecurity.util
Class FNDEcsfSecurityPlugin
java.lang.Object
oracle.ecsf.impl.DefaultSearchPlugin
oracle.apps.fnd.applcore.dataSecurity.util.FNDEcsfSecurityPlugin
- All Implemented Interfaces:
- oracle.ecsf.Securable
public class FNDEcsfSecurityPlugin
- extends oracle.ecsf.impl.DefaultSearchPlugin
This class serves as a bridge to enable ApplCore Grants based data security
rules defined in the transactional system to be applied to ECSF-SES framework
for search feature. Search feature in Applications is implemented using
ECSF/SES. Search VOs are defined in ECSF. This plugin can
be used as the Security Plugin in ECSF for Search VO.
In SES, documents are secured with ACLs at searchable object level.
For example, each invoice will be formed as a document to be stored and
indexed by SES with one or more ACLs. At query time, for a given user,
a set of keys for each ACL must match with the ACLs of a document in order
for the document to show in the results. While there are significant
differences in terms how the security rules are enforced between SES and Database,
which ApplCore Data Security operates on, there are many cases where rules defined
in Data security can be mapped to SES, hence used for secure searchable objects in SES.
The ApplCore SES security plug-in is meant to enforce those rules,
and help Applications streamline their security plugin development for Search.
The following is the high level feature list that will be supported by ApplCore Plugin:
A searchable object is secured by:
1. creator or owner - this rule basically means whoever creates the record can view the record
1. by extending this applcore security plugin, managers of creator/owner can view records created/owned by their directs.
2. MOAC - this rule means a person can view the document based on the list of Organization Units he has access to for a given privilege.
3. static filters - this rule means any data set that can be defined via a simple static filter, for example, amount < 50000
The plugin can be used only where the Data Security rules are defined in the form
of Filters. If the security rules are defined as SQL Predciates, they are ignored by the plugin.
The filter must be static (no dynamic context, but for currentUserGuid expression).
In the case of MOAC, the data security rules may be in the form of SQL Predicates or Filters. The filters
may be static or dynamic. This is handled as a special case. There are no restrictions for MOAC use case.
The plugin implements 2 key methods to generate ACL and Keys.
It implements getAcl() and getSecurityKeys() methods. These methods handle the scenarios
mentioned above. If your scenario does not fit into these patterns, you will have to implement
a custom security plugin.
The plugin also has a protected method to get the managers of creator/owner of the document.
The default implementation returns null. If you want to have managers or creator/owner
to be able to view the document, you should override the method getUserManagers() in this class.
See http://aseng-wiki.us.oracle.com/asengwiki/display/ATG/ECSF+Data+Security+Plugin
for more details about the plugin.
Fields inherited from interface oracle.ecsf.Securable |
RCS_ID, RCS_ID_RECORDED |
Method Summary |
protected void |
gatherOrgAcl(oracle.ecsf.SearchContext ctx,
oracle.ecsf.IndexableDocument indexableDocument,
java.util.Vector acls)
|
protected void |
gatherOrgKeys(oracle.ecsf.SearchContext ctx,
DataSecurityAMImpl dam,
java.util.Vector keys)
|
java.lang.String[] |
getAcl(oracle.ecsf.SearchContext ctx,
oracle.ecsf.IndexableDocument indexableDocument)
|
java.lang.String[] |
getSecurityKeys(oracle.ecsf.SearchContext ctx)
|
protected java.util.Vector<java.lang.String> |
getUserManagers(oracle.ecsf.SearchContext ctx,
oracle.ecsf.IndexableDocument indexableDocument,
DataSecurityAMImpl dam,
java.lang.String userGuid)
|
Methods inherited from class oracle.ecsf.impl.DefaultSearchPlugin |
getSecurableParams, getSecureAttrAcl, getSecureAttrKeys, isAclEnabled |
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
FNDEcsfSecurityPlugin
public FNDEcsfSecurityPlugin()
getAcl
public java.lang.String[] getAcl(oracle.ecsf.SearchContext ctx,
oracle.ecsf.IndexableDocument indexableDocument)
- Specified by:
getAcl
in interface oracle.ecsf.Securable
- Overrides:
getAcl
in class oracle.ecsf.impl.DefaultSearchPlugin
gatherOrgAcl
protected void gatherOrgAcl(oracle.ecsf.SearchContext ctx,
oracle.ecsf.IndexableDocument indexableDocument,
java.util.Vector acls)
gatherOrgKeys
protected void gatherOrgKeys(oracle.ecsf.SearchContext ctx,
DataSecurityAMImpl dam,
java.util.Vector keys)
getSecurityKeys
public java.lang.String[] getSecurityKeys(oracle.ecsf.SearchContext ctx)
- Specified by:
getSecurityKeys
in interface oracle.ecsf.Securable
- Overrides:
getSecurityKeys
in class oracle.ecsf.impl.DefaultSearchPlugin
getUserManagers
protected java.util.Vector<java.lang.String> getUserManagers(oracle.ecsf.SearchContext ctx,
oracle.ecsf.IndexableDocument indexableDocument,
DataSecurityAMImpl dam,
java.lang.String userGuid)
Copyright © 2011 Oracle. All Rights Reserved.