CC028
-
Row Level Security Automation
This document
gives an
overview of the
custom
a
utomation process of loading row level security.
This
was prepared to give an overview to
the security team about what
UA_CC028
AE and related
peoplecode in UA_SA_CC028 app package
does.
Project: UA_SA_CC028
The row level security for a user
s
is loaded in following ways:
1.
Run the
UA_CC028 app engine
(Setup SACR > Secure Student Administration > Process > Run
Row Level Security Load)
2.
From the 'save post change' peoplecode in USERMAINT component (People
Tools > Security >
User Profi
l
es)
Method 1 loads the row level security in batch. Method 2 loads the row level security for
a
specific user.
Both method 1 & 2 use the exact same logic w
hile loading the row level secur
i
ty.
Row level security load logic:
The row level security load automation is performed only
on
the users with
'UA_SA Base Access
-
Admin'
role
(please see
2 section in
'
Potential Bugs'
)
The method
UA_SA_SECURITY:RowLevelSecurity
.
CreateSecurity() call
s
2 methods
(
CreateSecurityTableDriven() & CreateSecurityAll()
)
which as
signs the row level security
Note: The above method is called in App engine 'UA_CC028.MAIN.Step01
-
Peoplecode' & component
'USER
MAINT
-
SavePostChange'
Note:
Various methods in
UA_SA_SECURITY:
RowLevelSecurity
()
class refers to variables &oprid,
&institution, &PLNoMasking and &AcadOrgValue. These
attribute
values are set in the method
RowLevelSecurity()
Method CreateSecurity():
This call the below 2 methods
CreateSecurityTableDriven();
CreateSecurityAll();
CreateSecurityTableDriven()
:
This method assigns the security to a user based on the
user
roles and the corresponding
row level security values setup
for the given
role.
Navigation:
Setup SACR > Product Related >
Campus Community >
Row Level Security Setup
In the below example, user
s
with role
'UA_SA_SR View Only'
are
setup to
be assigned
'3C
Group' security
for
RVW (Registrar view)
'Inquiry' access
.
When UA_CC028 AE runs, users who have
'UA_SA_SR View Only'
will get the row level security
as shown in the 2
nd
screen shot
R
ow level security can be assigned by
CreateSecurityTableDriven()
for the following list:
Setup SACR > Security > Secure
Student Administration > User ID
3G Group
Academic Org
Academic Plan
(Although this is a
xlat value for Type on the Row l
evel setup page,
this is not used in app package code)
Admissions Action
Advisement Report
Application Center
No Masking
(Although this is a xlat value for Type on the Rowl evel setup page,
this is not used in app package code)
Population Update
Program Action
Recruiting Center
Service Indicator
Student Group
Transcript Report
Test ID
Security
CreateSecurityAll():
This
method
assigns the row level security to following items:
Academic Institution Security
Institution/Campus Security
:
Gives access to all Campuses
Institution Career Security
:
Gives access to all Careers
Academic
Program Security
:
For each Career, security is granted
to all ACAD_P
ROG
values
Test ID security
:
Assigns Test ID security for users with roles where ROLENAME
LIKE 'UA_SA_TC%' OR ROLENAME LIKE 'UA_SA_AD%' OR
ROLENAME LIKE
'UA_SA
_AA%'
. If the Test ID security is already
existing or
set by
Create
SecurityTableDriven()
,
it will not be updated
Academic Plan Security
:
Security is granted to all ACAD_PLAN values
Academic Org Security:
For users
with role
'UA_SA_SR
View Only'
and
DOES
NOT
have the role
s
'UA_SA_SR Acad Dept
Scheduler'
or
'UA_SA_SR College User'
or
'UA_SA_SR
Dept Perm Enrol Sched'
or
'UA_SA_SR_Quick Admit'
or
'UA_SA_SR Block Enrollment User'
or
'UA_SA_SR Depart
ment User'
,
acad org security with
Acad Org = UNIV is
assigned
Student Group Security
:
Gives access to all existing student groups but with
'Inquiry' access. Any existing student group security will
not be updated
Potential bugs:
1.
The following tables are effective dated, but the UA_SA_SECURITY app package does not have
the effective dated logic while pulling data from these tables.
ACAD_CAR_TBL
CAMPUS_TBL
STDNT_GROUP_TBL
PSTREENODE
This may not be an
issue.
For example let us say HNRS student group is no longer active, but the user may still need to see
student
s
who
have
HNRS student group.
In this case if we assign the row level student group
security with only the active student groups, user will not be
able to see the student group data
for HNRS via PIA because of
the
missing
HNRS
row level security.
2.
The call to UA_SA_SECURITY.CreateSecurity() occurs in 2 places.
i)
F
rom
UA_CC028 AE (MAIN.Setup01.Peoplecode), this code grabs all the users with 'UA_SA
Ba
se Access
-
Admin' role and assigns the row level security.
ii)
From component peoplecode (USERMAINT
-
SavePostChange). Here
UA_SA_SECURITY.CreateSecurity() is called when the current user who is creating the new
users has the 'UA_SA Base Access
-
Admin' rol
e. I think this is a bug because it checks for the
current user's role instead of the newly created user's role
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο