3. Manage Tenant Access

Make sure that object groups, tenants and users are well defined:

Furthermore, the user must already have been granted acces to an object group.

Important

Access can only be granted to users of the type ‘HU’ or ‘GU’.

3.1. Granting Access on a Tenant Group to a User

Use the script API_SCURTY.GRANT_USER_TNT_ACCESS.

Granting acces to a tenant grup means that the user well see only rows which belog to the specified tenants (identified by tenant codes, e.g. specific values for a BDomain). You may provide multiple tenant codes at once using the LUA array syntax.

The parameter p_scol_access decides if the user sees sensitive columns within a row belonging to a tenant. Therefore, a user may see sensitive columns for one BDomain but not for others.

Checkout the concepts guide for detaild explanations of row level and column level security.

Example

1EXECUTE SCRIPT API_SCURTY.GRANT_USER_TNT_ACCESS (
2     'TEST_OG'        -- p_object_group
3     ,'TESTUSER'      -- p_user_name
4     ,'TEST_TENANT'   -- p_tnt_group
5     ,ARRAY('TEST')   -- p_tnt_code
6     ,false           -- p_scol_access
7);

After issuing the command above an entry is added to the table REP_USER_TNT_ACCESS.

OBJECT_GROUP

USER_NAME

TNT_GROUP

TNT_CODE

SCOL_ACCESS

TEST_OG

TESTUSER

TEST_TENANT

TEST

false

3.2. Revoking Access on a Tenant Group from a User

To revoke an access on a tenant group from a specific user execute API_SCURTY.REVOKE_USER_TNT_ACCESS.

Example

1EXECUTE SCRIPT API_SCURTY.REVOKE_USER_TNT_ACCESS (
2     'TEST_OG'        -- p_object_group
3     ,'TESTUSER'      -- p_user_name
4     ,'TEST_TENANT'   -- p_tnt_group
5     ,ARRAY('TEST')   -- p_tnt_code
6);

After the beforementioned example has been run the entry for row level access in the table REP_USER_TNT_ACCESS will be removed.