2. Manage Tenants¶
Make sure that the tenant group already exists:
A tenant group may contain multiple tenant definitions which all have the same business meaning but different technical representaions. Therefore, a tenant expression is specified by discover rules which identifies specific columns in various objects based on include and exclude patterns.
2.1. Adding a Tenant Discover Rule¶
Add a new rule using API_SCURTY.ADD_TENANT. Multiple rules may exist for the same group and the rules are combined by logical or while the search patterns within one rule are linked with an ‘and’. If more than one column in the same object is identified as a possible tenant column for this very group the lower priority (p_tnt_match_prio) wins. If more than one column is identified as a possible tenant column within on e rule the first one in alphabetical order is taken. Rules are identified by the tenant name.
Inclusive patterns have to be set while the exclusive patterns are optional. Besides the search patterns the data type must match. Possible data types are ‘TEXT’, ‘BOOLEAN’ and ‘NUMBER’.
In the example case we will look for a column named ‘BDOMAIN’ of type ‘TEXT’ in all schemas starting with ‘PSV_TEST_’ and objects ending with ‘_TAB’
Example
1EXECUTE SCRIPT API_SCURTY.ADD_TENANT (
2 'TEST_TENANT' -- p_tnt_group
3 ,'Tenant1_Test' -- p_tnt_name
4 ,1 -- p_tnt_match_prio
5 ,'Testing purposes' -- p_tnt_desc
6 ,'TEXT' -- p_tnt_data_type
7 ,'BDOMAIN' -- p_tnt_col_incl_pattern
8 ,null -- p_tnt_col_excl_pattern
9 ,'PSV_TEST_.*' -- p_tnt_schema_incl_pattern
10 ,null -- p_tnt_schema_excl_pattern
11 ,'.*_TAB' -- p_tnt_object_incl_pattern
12 ,null -- p_tnt_object_excl_pattern
13 ,'.*' -- p_tnt_comment_incl_pattern
14 ,null -- p_tnt_comment_excl_pattern
15);
The newly created tenant rule can be found in the table REP_TENANTS.
TNT_GROUP |
TNT_NAME |
TNT_MATCH_PRIO |
TNT_DESC |
TNT_DATA_TYPE |
TNT_COL_INCL_PATTERN |
TNT_COL_EXCL_PATTERN |
SCHEMA_TNT_SCHEMA_INCL_PATTERN |
TNT_SCHEMA_EXCL_PATTERN |
TNT_OBJECT_INCL_PATTERN |
TNT_OBJECT_EXCL_PATTERN |
TNT_COMMENT_INCL_PATTERN |
TNT_COMMENT_EXCL_PATTERN |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
TEST_TENANT |
Tenant1_Test |
1 |
Testing purposes |
TEXT |
BDOMAIN |
(null) |
PSV_TEST_.* |
(null) |
.*_TAB |
(null) |
.* |
(null) |
2.2. Changing a Tenant Rule¶
A tenant rule can be changed using the script API_SCURTY.CHANGE_TENANT. Providing NULL leaves the parameters as is, while a blank (’ ‘) restores the default value.
In the example below all schemas named ‘PSV_TEST_DR’ will not be taken into account.
Example
1EXECUTE SCRIPT API_SCURTY.CHANGE_TENANT (
2 'TEST_TENANT' -- p_tnt_group
3 ,'Tenant1_Test' -- p_tnt_name
4 ,null -- p_tnt_match_prio
5 ,null -- p_tnt_desc
6 ,null -- p_tnt_data_type
7 ,null -- p_tnt_col_incl_pattern
8 ,null -- p_tnt_col_excl_pattern
9 ,null -- p_tnt_schema_incl_pattern
10 ,'.*_DR' -- p_tnt_schema_excl_pattern
11 ,null -- p_tnt_object_incl_pattern
12 ,null -- p_tnt_object_excl_pattern
13 ,null -- p_tnt_comment_incl_pattern
14 ,null -- p_tnt_comment_excl_pattern
15);
The changes made using the call above can be seen in the table SCURTY.REP_TENANTS.
TNT_GROUP |
TNT_NAME |
TNT_MATCH_PRIO |
TNT_DESC |
TNT_DATA_TYPE |
TNT_COL_INCL_PATTERN |
TNT_COL_EXCL_PATTERN |
SCHEMA_TNT_SCHEMA_INCL_PATTERN |
TNT_SCHEMA_EXCL_PATTERN |
TNT_OBJECT_INCL_PATTERN |
TNT_OBJECT_EXCL_PATTERN |
TNT_COMMENT_INCL_PATTERN |
TNT_COMMENT_EXCL_PATTERN |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
TEST_TENANT |
Tenant1_Test |
1 |
Testing purposes |
TEXT |
BDOMAIN |
(null) |
PSV_TEST_.* |
.*_DR |
.*_TAB |
(null) |
.* |
(null) |
2.3. Removing a Tenant Rule¶
Use API_SCURTY.REMOVE_TENANT to remove a tenant rule.
Example
1EXECUTE SCRIPT API_SCURTY.REMOVE_TENANT (
2 'TEST_TENANT' -- p_tnt_group
3 ,'Tenant1_Test' -- p_tnt_name
4);
After successfully running the script above, there should be no entry with the tenant name ‘TENANT1_TEST’ in the table SCURTY.REP_TENANTS anymore.