Applying Multiple Data Policies
Table, or several different permission tables. Each Policy is applied in accordance with the settings under Applies to. In this example, a single Permission table is used.
Example
Given this sample Data table:
| ComponentID | Cost | Technical Property | Project |
|
C_01 |
100 |
1.45 |
A |
|
C_02 |
90 |
2.55 |
A |
|
C_03 |
105 |
3.11 |
A |
|
C_04 |
120 |
2.07 |
B |
|
C_05 |
85 |
4.02 |
B |
|
C_06 |
40 |
2.07 |
B |
And this sample Permission Table:
| project | group | user |
|
A |
Finance |
Peter |
|
B |
Finance |
Paula |
|
A |
Engineering |
Mary |
|
B |
Engineering |
John |
|
A |
ManagerEngineering |
|
|
B |
ManagerEngineering |
|
|
A |
ManagerFinance |
|
|
B |
ManagerFinance |
|
|
A |
Executive |
|
|
B |
Executive |
|
The following five Data Policies are applied to the Data Table:
| Data Policy Name | Join | Applies To | Expression | Exclude Columns |
|
Finance |
Data.Project = Permissions.project |
Groups: Finance |
USERNAME_IS([user]) |
Technical Property |
|
Engineering |
Data.Project = Permissions.project |
Groups: Engineering |
USERNAME_IS([user]) |
Cost |
|
ManagerFinance |
Data.Project = Permissions.project |
Groups: ManagerFinance |
USER_MEMBER_OF([group]) |
Technical Property |
|
ManagerEngineering |
Data.Project = Permissions.project |
Groups: ManagerEngineering |
USER_MEMBER_OF([group]) |
Cost |
|
Executive |
Data.Project = Permissions.project |
Groups: Executive |
USER_MEMBER_OF([group]) |
|
The result achieved by the combination of these Data Policies is the following:
- A user who is not a member of any of the groups to which the policies apply, will see no part of the data
- Peter: Can see Project A, but cannot see Technical Property column values
- Paula: Can see project B, but cannot see Technical Property column values
- Mary: Can see Project A, but cannot see Cost column values
- John: Can see Project B, but cannot see Cost column values
- Carlos: Is a member of the group (has the role) ManagerEngineering, and he can see both Project A and B, but cannot see Cost column values
- Mei: Is a member of the group (has the role) ManagerFinance, and she can see both Project A and B, but cannot see Technical Property column values
- Jim: Is a member of the group (has the role) Executive, and he can see Project A and B, and can see all columns
To test the above scenario, users and roles as follows can be added to tomcat-users.xml (provided that UserDatabaseRealm is in use on Tomcat):
<user username="Peter" password="1" roles="viewer,Finance"/>
<user username="Paula" password="1" roles="viewer,Finance"/>
<user username="John" password="1" roles="viewer,Engineering"/>
<user username="Mary" password="1" roles="viewer,Engineering"/>
<user username="Carlos" password="1" roles="viewer,ManagerEngineering"/>
<user username="Mei" password="1" roles="viewer,ManagerFinance"/>
<user username="Jim" password="1" roles="viewer,Executive"/>
(c) 2013-2024 Altair Engineering Inc. All Rights Reserved.