3. Manage Tenant Access¶
Make sure that object groups, tenants and users are well defined:
Furthermore, the user must already have been granted acces to an object group.
Important
Access can only be granted to users of the type ‘HU’ or ‘GU’.
3.1. Granting Access on a Tenant Group to a User¶
Use the script API_SCURTY.GRANT_USER_TNT_ACCESS.
Granting acces to a tenant grup means that the user well see only rows which belog to the specified tenants (identified by tenant codes, e.g. specific values for a BDomain). You may provide multiple tenant codes at once using the LUA array syntax.
The parameter p_scol_access decides if the user sees sensitive columns within a row belonging to a tenant. Therefore, a user may see sensitive columns for one BDomain but not for others.
Checkout the concepts guide for detaild explanations of row level and column level security.
Example
1EXECUTE SCRIPT API_SCURTY.GRANT_USER_TNT_ACCESS (
2 'TEST_OG' -- p_object_group
3 ,'TESTUSER' -- p_user_name
4 ,'TEST_TENANT' -- p_tnt_group
5 ,ARRAY('TEST') -- p_tnt_code
6 ,false -- p_scol_access
7);
After issuing the command above an entry is added to the table REP_USER_TNT_ACCESS.
OBJECT_GROUP |
USER_NAME |
TNT_GROUP |
TNT_CODE |
SCOL_ACCESS |
---|---|---|---|---|
TEST_OG |
TESTUSER |
TEST_TENANT |
TEST |
false |
3.2. Revoking Access on a Tenant Group from a User¶
To revoke an access on a tenant group from a specific user execute API_SCURTY.REVOKE_USER_TNT_ACCESS.
Example
1EXECUTE SCRIPT API_SCURTY.REVOKE_USER_TNT_ACCESS (
2 'TEST_OG' -- p_object_group
3 ,'TESTUSER' -- p_user_name
4 ,'TEST_TENANT' -- p_tnt_group
5 ,ARRAY('TEST') -- p_tnt_code
6);
After the beforementioned example has been run the entry for row level access in the table REP_USER_TNT_ACCESS will be removed.