This article talks about introduction to Metadata Security Pre-filtering. Metadata pre-filtering is a process where a filtering of information within organization, user, role etc takes place at a metadata level. This can allow you to have row level data security (RLS).
For example, your most of the company members can access database Adhoc UI and drag drop interface, but only few should have access to the revenue column. In such cases if you want to selectively show or hide certain tables or columns to selected organizations, roles or users this process is useful.
To apply metadata security pre-filtering conditions there are two ways to achieve it :
- Front End Level
- Back End Level
Now, Helical Insight Application is available in two versions :
- Enterprise version supports UI driven data security. For more details visit This Blog
- Community version
In Enterprise version, there is a UI available for applying metadata-security pre-filtering conditions but in case of Community Version, no UI available for applying a condition, so through back end approach metadata-security pre-filtering conditions can be easily applied. Further details will cover applying metadata-security pre-filtering conditions through back end approach.
When a metadata is shared with the organization/user or with other organization usually a lot of question occurs in the owners mind like how to limit the shared data with other user / organization, how to hide sensitive fields of a database, showing relevant table to a user from the list, and so on. Yes, it is possible to achieve using Helical Insight. In Helical Insight, at metadata level a user can apply pre-filters so that whenever a metadata is shared with any user / organization he or she can get only selective to access to tables and columns and data of the database.
Various levels at which pre-filters / security filters can be applied are :
- Organization (single / multiple)
- User (single / multiple)
- Role (single / multiple)
- Profile (single / multiple)
In case of database, levels at which pre-filters / security filters can be applied are :
- Table
- Column
- Data
Application
Let us understand how to apply a filter at a metadata level. Following are the steps :
-
- Identify the metadata which is to be shared.
- Open the “filename.metadata” file.
.metadata file consist of following details like
-
-
- Connection details
- File details
- Database details
- Table details
- Column details
- Relationship details
- Sharing details
- Security details
-
and so on…
3. Now, there can be various condition in which metadata has to be shared like
- sharing with another user
- sharing with a role
- sharing with a profile
- sharing with other organization
For this, an expression is to be added in the .metadata file. Open the .metadata file in the server using any editor like notepad++. Suppose you want to hide a column from a shared metadata with other user, then expression to be written in the following way :
<access>
<expression id="1" type="conditionIf" expressionType="column"
on="Travel.Journey_Details.Destination" accessType="deny">
<condition>
${user}.name = 'user1' // user level sharing
</condition>
</expression>
</access>
type : by default the value is set to “conditionIf” which means the expression in <condition> tag will either evaluate to true or false and the security will be applicable depending upon the result.
expressionType: This defines on which data you would like to apply condition. It can column or table.
accessType : it tells whether to show or hide the respective table/ column/data by setting value to “grant” or “deny”. “deny” will hide the column whereas “grant” will display the column.
${user}.name = ‘user1’ : This condition tells that users name should match with the name given which is ‘user1’.
When a user1 logs in, then on using the shared metadata the user1 will not be able to access the ‘Destination’ column. Whereas other users will get access to this column.
You can add Multiple columns in the same expression by using comma expression.
In case if you would like to restrict entire table, in expression type use “Table” and mention the table name.
4. Make the necessary changes in metadata and save the file. Please note that the metadata file can be opened in server using any editor like notepad++.
For further assistance, kindly contact us on support@helicalinsight.com or post your queries at forum.helicalinsight.com