CC028 - Row Level Security Automation

CC028
-

Row Level Security Automation


This document
gives an

overview of the

custom

a
utomation process of loading row level security.

This
was prepared to give an overview to

the security team about what
UA_CC028
AE and related
peoplecode in UA_SA_CC028 app package
does.

Project: UA_SA_CC028

The row level security for a user
s

is loaded in following ways:

1.

Run the
UA_CC028 app engine

(Setup SACR > Secure Student Administration > Process > Run
Row Level Security Load)

2.

From the 'save post change' peoplecode in USERMAINT component (People

Tools > Security >
User Profi
l
es)

Method 1 loads the row level security in batch. Method 2 loads the row level security for
a

specific user.

Both method 1 & 2 use the exact same logic w
hile loading the row level secur
i
ty.



Row level security load logic:



The row level security load automation is performed only

on

the users with

'UA_SA Base Access
-

Admin'
role

(please see
2 section in
'
Potential Bugs'
)



The method

UA_SA_SECURITY:RowLevelSecurity
.
CreateSecurity() call
s

2 methods

(
CreateSecurityTableDriven() & CreateSecurityAll()

)

which as
signs the row level security

Note: The above method is called in App engine 'UA_CC028.MAIN.Step01
-

Peoplecode' & component
'USER
MAINT
-
SavePostChange'



Note:

Various methods in
UA_SA_SECURITY:
RowLevelSecurity
()

class refers to variables &oprid,
&institution, &PLNoMasking and &AcadOrgValue. These
attribute

values are set in the method
RowLevelSecurity()


Method CreateSecurity():

This call the below 2 methods


CreateSecurityTableDriven();


CreateSecurityAll();



CreateSecurityTableDriven()
:




This method assigns the security to a user based on the

user

roles and the corresponding

row level security values setup
for the given
role.


Navigation:

Setup SACR > Product Related >
Campus Community >
Row Level Security Setup


In the below example, user
s

with role
'UA_SA_SR View Only'

are

setup to
be assigned

'3C

Group' security

for

RVW (Registrar view)

'Inquiry' access
.


When UA_CC028 AE runs, users who have
'UA_SA_SR View Only'

will get the row level security

as shown in the 2
nd

screen shot






R
ow level security can be assigned by
CreateSecurityTableDriven()

for the following list:


Setup SACR > Security > Secure
Student Administration > User ID



3G Group



Academic Org



Academic Plan

(Although this is a
xlat value for Type on the Row l
evel setup page,









this is not used in app package code)




Admissions Action



Advisement Report



Application Center



No Masking



(Although this is a xlat value for Type on the Rowl evel setup page,









this is not used in app package code)






Population Update



Program Action



Recruiting Center



Service Indicator



Student Group



Transcript Report



Test ID
Security




CreateSecurityAll():




This
method
assigns the row level security to following items:





Academic Institution Security



Institution/Campus Security
:

Gives access to all Campuses




Institution Career Security
:

Gives access to all Careers



Academic
Program Security
:

For each Career, security is granted
to all ACAD_P
ROG








values



Test ID security
:


Assigns Test ID security for users with roles where ROLENAME









LIKE 'UA_SA_TC%' OR ROLENAME LIKE 'UA_SA_AD%' OR







ROLENAME LIKE


'UA_SA
_AA%'

. If the Test ID security is already







existing or

set by
Create
SecurityTableDriven()
,

it will not be updated





Academic Plan Security
:



Security is granted to all ACAD_PLAN values




Academic Org Security:



For users
with role
'UA_SA_SR
View Only'










and
DOES

NOT

have the role
s

'UA_SA_SR Acad Dept







Scheduler'

or

'UA_SA_SR College User'

or
'UA_SA_SR







Dept Perm Enrol Sched'

or
'UA_SA_SR_Quick Admit'

or







'UA_SA_SR Block Enrollment User'

or









'UA_SA_SR Depart
ment User'
,

acad org security with








Acad Org = UNIV is
assigned




Student Group Security
:


Gives access to all existing student groups but with







'Inquiry' access. Any existing student group security will







not be updated


Potential bugs:


1.

The following tables are effective dated, but the UA_SA_SECURITY app package does not have
the effective dated logic while pulling data from these tables.



ACAD_CAR_TBL


CAMPUS_TBL


STDNT_GROUP_TBL


PSTREENODE



This may not be an
issue.


For example let us say HNRS student group is no longer active, but the user may still need to see

student
s

who
have

HNRS student group.

In this case if we assign the row level student group

security with only the active student groups, user will not be
able to see the student group data

for HNRS via PIA because of

the

missing
HNRS
row level security.


2.

The call to UA_SA_SECURITY.CreateSecurity() occurs in 2 places.


i)

F
rom
UA_CC028 AE (MAIN.Setup01.Peoplecode), this code grabs all the users with 'UA_SA
Ba
se Access
-

Admin' role and assigns the row level security.

ii)

From component peoplecode (USERMAINT
-

SavePostChange). Here
UA_SA_SECURITY.CreateSecurity() is called when the current user who is creating the new
users has the 'UA_SA Base Access
-

Admin' rol
e. I think this is a bug because it checks for the
current user's role instead of the newly created user's role