Row Level Security

 

Jump to:

Creating the Security Table
Creating the Security Application
Implementing Row Level Security
Video
Web Parameters

Row Level Security is a highly flexible technique for controlling which records are returned based on the current user. Implementing row level security is a three step process. First, you must create a table that contains security credentials. Second, you need to create a retrieval over this table, using the Row Level Security template. Lastly, you must integrate the security retrieval with the application you wish to secure.

Creating the Security Table:

The table must contain three fields. One field will hold user profile information, another will contain values, and a third will contain data regarding the relationship between the user and the values. When naming your fields, do not name the user profile field USER. This word is reserved within Java. Valid relationship values are:

    EQ Equal to
    GE Greater than or equal to
    GT Greater than
    LE Less than or equal to
    LS Is in the list
    LT Less than
    NE Not equal to
    NG Not greater than
    NL Not less than
    RG Is in the range
    SW Starts with

You most likely will want to build a maintainer over this table.

row_level_1

This table has been set up so that user Duffey has the credentials to view all values in the list of OH, IL, and IN. Conversely, user Hurckes can only view values related to CA, MO, and WA. Once your security table has been created, you are ready to create the Row Level Security application.

Back to the Top

Creating the Security Application

In order to implement Row Level Security, you must create a retrieval over the table you just created. This retrieval must be created using the Row Level Security template. Applications created with this template are expected to run behind the scenes, and not in the browser.

Note: The security application must be created in the same data dictionary as the application it will secure.

Application Specifications

Application Settings

Description: Allow developers to specify their application's description/name.

Program Name: This will be the application's number. By default, m-Power uses the letter I (Inquiry) followed by a five digit number.

Select Only Matching Records: Select either 'No', for a left outer join, or 'Yes' for an inner join. A left outer join will return all records from the primary table along with matching records from the secondary tables. An inner join will return records from the primary and secondary tables only where matching records are found.

Template: You can select a template by scrolling through the available templates. The templates define the general layout and functionality of the resulting application. This section will list all the available maintenance templates; you will see a small screenshot of what that template looks like at runtime. Learn more about templates.

Data Selection

Here you will see/modify the table you have selected for your application. Here you can create or modify joins to other tables as well.

Sequencing

Sequence your application by the field containing the user values.

Field Settings

Here you will find the settings for all the fields in the application. The options are:

Note: When creating the security application, please ensure that the third field in your application is the field you wish to secure against.

Delete: You can delete fields by clicking the checkbox and clicking Accept. If a field has a red circle with a cross line, that means that the field is being used somewhere else in the application (sequence, calculation, etc.), and, due to this dependency, is not available for deletion.
NOTE: deleting a field will remove the field from the application only, the table will be unchanged.

Field: This is the same name the field has in the table.

Table: The name of the table where that field exists.

Field Description: This is the text that will appear in the column header for that field, you can modify this field to suit your needs. This field will populate with the field description from the table by default, but it can be customized at the application level.

Display: A radio button allows developers to display or hide the field from the output page. There may be situations where a field is needed for calculation purposes, but the field does not need to be displayed at runtime.

Length: Here you can modify the length of the field. m-Power will only allow developers to shorten the length of the field, shortening a fields length will truncate its data. For example, if a field is 10 alpha and it is changed to 5 alpha, now only the first 5 characters will be displayed. The same principle applies to a numeric field, if a numeric field is 8 digits long; changing it to 4 digits long will only display the first 4 digits, and leave out the rest of digits.

Decimals: For numeric fields, you can modify the amount of decimal digits. A numeric field will have the option of changing its decimal length, alpha fields does not have a decimal option, developers can use this as an indicator to check if a field is a numeric or character type.

Numeric Format Code: For numeric fields, you can modify the way the numbers will display, this includes displaying decimals or not, how to display negative numbers, etc. Multiple formats are built in for developers to use, shall you need a different format code, m-Power allows developers to create their own User Defined Format codes; these codes will add logic for common types of fields such as: Currency, Time, or Dates. Accessing the User Defined Format Codes from the Admin section will also allow developers to modify current codes. Learn more.

Note: Do not confuse the User Defined Format Code with the User Defined Functions (UDF). The latter is a feature that allows developers to create or incorporate programing functions into m-Power. Learn more about UDFs.

User def: This feature has been deprecated.

Record Selections

Record Selections can be created over any database fields. These are the options:

Field: A drop down allows you to select the field you want to filter on.

Relation: A drop down allows you to select a relationship for the filter.

Value: This is the value to compare against. The options are:

Constant Value: A constant value allows you to hard-code any given value into a selection. This value cannot be modified by the end-user at runâ??time.

Application Field Value: Developers have the option of comparing a value from one field to a value from another field within the same record.

And/Or: When creating multiple record selections, you have the option to set them as and or or Example: selection A and selection B will display only records that match both selections. Selection A or selection B will display records that match one or both selections. Learn more.

Calculations

Calculations are a very powerful feature of m-Power; with calculations, developers can create logical fields that will apply to the current application only. This can be used to include SQL code in a field, such as cast a numeric field as character, create date conversions, inserting the current date and time, and much more. Learn more. In Row Level Security applications, calculations are often used to create the relationship field, without needing to alter the table.

External Objects and SmartLinks

External Objects and SmartLinks are not supported in the Row Level Security Template.

Application Properties

When accessing the Application Properties, a popup window will open with multiple tabs; let's go through each of the tabs:

Program Options

debug: Selecting Yes will display the SQL generated by m-Power at runtime, at the bottom of the page. This allows developers to debug the application to see exactly what is being queried to the database. The default setting is No.

edit_type: This property specifies whether this application can be edited through m-Painter (WYSIWYG and text editing), or through text editing only.

SQL Statement

caseSensitive: When using record selections or creating filters via the Selection window, if no matches are found but you know matching records exist, m-Power offers three options for case sensitivity. Change the search value to uppercase is the default, most databases use uppercase when writing data to the table, so this selection will uppercase the values typed in the input field by the end user. Selecting No case conversion will not uppercase the uses input, use this option if know the data in the database are lowercase. The third option is Change both the search value and the DB field to uppercase using the UPPER keyword this will uppercase both the database and the users input, this option is the slowest because the data needs to be read from the table and changed to uppercase, this is done for every record in the table. More Information

secureby: m-Power applications can be secured against username or session ID. Click here to learn more about this feature.

sql_statement: Developers can specify an SQL statement with this property to override the default SQL statement created by the application.

Override Properties

This section allow developers to override the default error messages , by selecting the error message you wish to customize, and then simply modifying the Value section to whatever you would like your message to say at runtime in place of the default message. More Information

Back to the Top

Implementing Row Level Security

Once you've created your security table and retrieval, all that is left to do is to integrate the security retrieval with the application you wish to secure. To do so, open the application and navigate to the Record Selections specification.

For the field value, select the field in your application that contains user information. Select 'Row Level Security' from the relation dropdown. The value dropdown list will populate with all row level security templates that have been created in this dictionary. Select your security application and click accept.

row_level_2

Once you have added your record selection, you will need to recompile your application. However, you do not need to overwrite the HTML or Application Properties. Your application should now be set to use Row Level Security!

Back to the Top

Video

In this brief video I will show you how to apply Row Level security to your applications.
Row level security is a great feature that allows you to specify what records your users can access based on their login credentials. This gives you great control over who can access the records and what records they can access.
Once the security table and the Row Level Security retrieval have been created, you are ready to apply the Row Level security to your application.
As you can see, I have a report listing all the customers; there are over two hundred records listing customers from many different States and regions. I am assigned to work only with customers from the Midwest, which includes these four states: OH, IL, IA, and IN. There is no need for me to see records of customers from other states.
In the security retrieval I had filtered that my user â??Zarateâ?? should only be able to access the records where the State is equal to any of these: OH, IL, IA, and IN.
After compiling your application, click Record Selections. From the Field drop down, select the field that you want to control. In my case the field is the Customer state.
From the Selections drop down, select the Row Level Security. From the Values drop down, select the retrieval containing the users and filters for this application. In my case the retrieval 20 contains the filters of what records I can access depending on the user.
Recompile the application without overriding the HTML or Properties. Now, when I run the application I am only allowed to access those records that match my filter on the retrieval.

Back to the Top

Web Parameters

Common Parameters — These parameters apply to every template:

Name Valid Values Example Value Default Value Description
basic
  • 0: Off
  • 1: On
1 0 This parameter allows the app to only display the main content area.
CALCULAXXX
  • Any URL-encoded value
5000 When a calculation is a parameter calc, you can pass its value across the URL to other mrc applications. Use CALCULA001 for your first calculation, CALCULA002 for your second calculation, and so on, for all your parameter calculations.
Custom Parameters
  • Any URL-encoded value
33 Freemarker custom parameters can be passed through the URL.
data
  • 0: Off
  • 1: On
1 0 This parameter allows the app to only display the main data table.
debug
  • 0: Off
  • 1: On
  • 2: On & Show Import URLs
1 0 Loads your application with SQL statement and application logic time listed. This is often useful in determining how your dataset was determined and deciding if indexes should be created for this query.
devicetype
  • pc: Computer
  • tab: Tablet
  • mob: Smartphone
tab pc This parameter sets the current device type mode for the entire session. While device is automatically seen and set, you can use this to manually change it to a different device type.
FIELD
  • Any URL-encoded value
23 Applications allow you to pass values directly to any field when it is specified as a sequence key.
help
  • 0: Off
  • 1: On
1 0 This parameter controls whether the parameter listing screen should be displayed for this application or not.
hide_header_footer
  • 0: Show header/footer
  • 1: Hide header/footer
1 0 This parameter controls whether the header and footer are hidden.
impTags
  • Any positive integer
1 0 This parameter allows the app to only display the HTML inside the associated custom import.
init
  • 0: Off
  • 1: On
1 0 Forces your application to refresh the page from the server. Useful if you are making changes in a development environment but are not seeing your changes.
locale
  • ar: Arabic
  • bg: Bulgarian
  • ca: Catalan
  • zh: Chinese
  • cs: Czech
  • da: Danish
  • nl: Dutch
  • en: English
  • et: Estonian
  • fi: Finnish
  • fr: French
  • de: German
  • el: Greek
  • he: Haitian Creole
  • hi: Hindi
  • ht: Hebrew
  • hu: Hungarian
  • id: Indonesian
  • it: Italian
  • ja: Japanese
  • ko: Korean
  • lv: Latvian
  • lt: Lithuanian
  • no: Norwegian
  • pl: Polish
  • pt: Portuguese
  • ro: Romanian
  • ru: Russian
  • sk: Slovak
  • sl: Slovene
  • es: Spanish
  • sv: Swedish
  • th: Thai
  • tr: Turkish
  • uk: Ukrainian
  • vi: Vietnamese
es en This lets you choose which language layer to view for the entire session. Only available when using the m-Power Translate feature.

Back to the Top

Created: October 1, 2013 | Modified: June 7, 2017