IFS Row Level Security¶
IFS Row level security means that the security access rights is not only set on specific windows or specific functions. It means that you can specify what data the user is allowed to view and operate on. The IFS Cloud Platform supports this functionality with a Security Check or Predifened IFS Row Level Security, but in other cases row level security must be constructed in each entity where this is needed.
Add IFS Row Level Security in a Business Component¶
The data a user can operate on is restricted to the data the user can query from the views. The IFS row level security filter should be built into the views so only the data the user should have access to is returned.
Example 1:
@Override
VIEW User_Quick_Report IS
WHERE OWNER = Fnd_Session_Api.Get_Fnd_User();
The view adds the restriction that you can only see Quick Reports where you are the owner.
Example 2:
VIEW Operation_History_Cost IS
SELECT order_no order_no,
contract contract,
machine_cost machine_cost,
objversion objversion
FROM OPERATION_HISTORY_COST
WHERE site IN (SELECT site FROM user_allowed_site_pub p WHERE p.site = site);
This view adds a restriction to only show data based on a setup made in another entity, in this case UserAllowedSite. The UserAllowedSite entity defines which sites a user should be able to query data from. An administrator with access to the UserAllowedSite registration window can manage what data other users can see in all views where a condition like WHERE site IN (SELECT site FROM user_allowed_site_pub p WHERE p.site = site)
is added.
Predefined IFS Row Level Security Filters¶
In IFS Cloud there are some predefined filters for row level security that can be applied to a view by setting a property in the entity model. The existing IFS row level security filters are listed in the modeling reference documentation DbRowLevelSecurity.
Example 3:
attributes {
parentkey Company TEXT(20)/UPPERCASE PMI-- {
DbRowLevelSecurity "company-basic,company-views";
}
key AccountingYear NUMBER KMI-L;
key AccountingPeriod NUMBER KMI-L;
private Description TEXT(100) AMIU-;
}
Two row level security filters are added to the base view for the entity.
Security Check Annotation¶
The @SecurityCheck annotation can be used to enforce security checks related to application business logic. This could be used to verify whether the current user has the rights to modify data related to a particular company or select data from other views than the base view.
Anywhere data should be filtered based on who is querying you should add a where statement in the view, if the Framework services from above could not be used.
Permission Set Filter¶
An administrator can configure custom row level filters. This is not a development step. Instead you can do this in Solution Manager on a specific permission set. But this only applies to activities which is mainly used in integrations with other applications.
Mark Database Views as IFS Row Level Security Safe¶
In order to expose the database views through IFS Cloud, it is expected that the views are IFS Row Level Security Safe. In other words, if a database view is marked as IFS row level security safe, those views can be exposed through IFS Cloud, especially in areas such as configurations.
Note: To learn more about adding row level security for Entities check the Entity development page.
To manually mark a view as row level secured, use the codegen property DbViewRowLevelSecurity
or the annotation @DbViewRowLevelSecurity
accordingly.
- When IFS row level security is implemented in a custom manner, those views should be marked explicitly, with the meaning that IFS Row Level Security is handled in a custom way in WHERE clause.
If it’s a base view use the codegen property DbViewRowLevelSecurity "custom-implemented"
in .entity file and if it’s a non-base view use the annotation @DbViewRowLevelSecurity CustomImplemented
in .views file as shown below.
codegenproperties {
DbViewRowLevelSecurity "custom-implemented";
}
@DbViewRowLevelSecurity CustomImplemented
VIEW Operation_History_Cost IS
- When IFS row level security in not needed or in other words if any user should be able to access the data without any restrictions, those views should be marked explicitly, with the meaning IFS Row Level Security is not needed.
If it’s a base view use the codegen property DbViewRowLevelSecurity "not-required"
in .entity file and if it’s a non-base view use the annotation @DbViewRowLevelSecurity NotRequired
in .views file as shown below.
codegenproperties {
DbViewRowLevelSecurity "not-required";
}
@DbViewRowLevelSecurity NotRequired
VIEW Approval_Type_Authority_ID_Lov IS
IFS Row Level Security Safe Views in IFS Dictionary¶
A Database view is considered as IFS Row Level Security safe in IFS Dictionary for views,
- Using any existing Predefined IFS Row Level Security Filters or Security Check annotation.
- Using the
DbViewRowLevelSecurity
codegen property. - Using
@DbViewRowLevelSecurity
annotation.
Code generator generates view and column comments for the above listed IFS Row Level Security related codegen properties, filters and annotations. This information is persisted in IFS Dictionary via Dictionary cache refresh.