To be able to grant and revoke access for a user on a row level, first a tenant group, an object group and a user need to be created. This can be done by following the steps in the follwoing three HowTo Guides:
Furthermore, the user needs to get access to the object group. This access can be granted by following the first part of this HowTo Guide:
ATTENTION: Access can only be granted to users of the type 'HU' or 'GU'.
¶ 1 Granting Access to a Tenant Group for a User
After having successfully created a tenant group, an object group and a user, one can grant access to that tenant group for that user by using the script API_SCURTY.GRANT_USER_TNT_ACCESS. The name of the tenant group, the object group and of the username need to be exactly as the one just created. By granting access to specific tenant codes of a specific tenant group a row level access can be implemented, allowing users to only have access to specific rows of a table or view. To be able to do that, additionally to the object and tenant group as well as the user name, a tenant code has to be provided to the script. This tenant code can either be 'ALL' allowing access to all rows of a tenant column or an array of values from the tenant column, which means only rows containing one of the values from the array in the tenant column will be accessible for the user. The last parameter is optional and is set by default to false. This parameter is used to manage access to columns, which have been declared as being sensitive columns, meaning columns which hold sensitive data.
¶ Example
EXECUTE SCRIPT API_SCURTY.GRANT_USER_TNT_ACCESS (
'TEST_OG' -- p_object_group
,'TESTUSER' -- p_user_name
,'TEST_TENANT' -- p_tnt_group
,ARRAY('TEST') -- p_tnt_code
,false -- p_scol_access
);
After issuing the command above, an entry is added to the table SCURTY.REP_USER_TNT_ACCESS.
| OBJECT_GROUP | USER_NAME | TNT_GROUP | TNT_CODE | SCOL_ACCESS |
|---|---|---|---|---|
| TEST_OG | TESTUSER | TEST_TENANT | TEST | false |
¶ 2 Revoking Access to a Tenant Group for a User
To revoke an access to a tenant group for a specific user the script API_SCURTY.REVOKE_USER_TNT_ACCESS can be used. One has to only provide the user, the access should be revoked for, the tenant group, to which the access should be revoked for as well as the tenant code of the rows the access should be revoked for. Furthermore, the object group to which the access to the tenant codes has been granted to, needs to be provided as well.
¶ Example
EXECUTE SCRIPT API_SCURTY.REVOKE_USER_TNT_ACCESS (
'TEST_OG' -- p_object_group
,'TESTUSER' -- p_user_name
,'TEST_TENANT' -- p_tnt_group
,ARRAY('TEST') -- p_tnt_code
);
After the beforementioned example has been run, the entry for row level access in the table SCURTY.REP_USER_TNT_ACCESS will be removed.