ACL control of function fields

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of ACL Control of Function Fields

    The ACL control for function fields has been updated in the Xanadu release. This change requires that users have access not only to the function field itself but also to all contributing fields used in its definition. This is a shift from the earlier practice in Rome and prior versions, where only access to the function field was necessary.

    Show full answer Show less

    Key Features

    • Access Requirements: Users must have both read and reportview access to the function field and all contributing fields.
    • Operations Affected: The changes impact read and reportview operations specifically.
    • Role-Based Access: Users need appropriate roles to gain access, with specific conditions for role-only read ACLs.

    Key Outcomes

    With these updates, customers can expect more robust access control for function fields, enhancing data security by ensuring that all related fields are appropriately managed. This prevents unauthorized access to sensitive data that could be derived from function fields.

    When evaluating access to a function field, in addition to checking access to the function field itself, the system also checks access to the function's contributing fields. Contributing fields are those used as the arguments in a given function definition.

    For more information about function fields, see Function field.

    In Rome and earlier, the system simply checks access to the function field itself (as with any other field). If the ACLs on that field allow access, the user receives the resulting value, regardless of whether the user has access to the contributing fields.

    In Xanadu and later, the system also requires access to all contributing fields in order to allow access to the function field. If one or more of the contributing field ACLs refuse access, the function field also refuses access.

    The only operations affected by the new requirement are read and report_view. Report_view has its own additional requirements.

    Operation Description
    read operation A user has read access to a function field only if both of the following are true:
    • The user has read access to the function field.
    • The user has read access to all of the contributing fields used in the function.
    report_view operation A user has report_view access to a function field only if all of the following are true:
    • The user has report_view access to the function field.
    • The user has report_view access to each of the contributing fields.
    • There is a role-only read ACL without conditions and without a script, and the user has that role.
    • The user has role-only read access to the contributing fields, such that only ACLs without condition or script can allow.

    Examples

    Given:
    • Table: salary
    • Columns: base, bonus, total (all are Integers in this example)
    • Function field: The total column is marked as a function field, with function definition glidefunction:add(base, bonus).
    • Contributing fields: base and bonus, since they're used in the function definition
    • Roles: salary_admin, bonus_admin
    Table 1. Example 1: All fields allow access
    ACLs Result
    total, base, bonus: read and report_view for role salary_admin, with no conditions or scripts A user with the salary_admin role is granted read and report_view access to total because they have the required role.
    Table 2. Example 2: Contributing field refuses read access
    ACLs Result
    • total, base: read and report_view for role salary_admin, with no conditions or scripts
    • bonus: report_view for role salary_admin , with no conditions or scripts
    • bonus: read for role bonus_admin, with no conditions or scripts
    		 A user with the salary_admin role is refused read and report_view access to total, because bonus refuses read access to their role.
    Table 3. Example 3: Contributing field ACL has script
    ACLs Result
    • total, base: read and report_view for role salary_admin, with no conditions or scripts
    • bonus: report_view for role bonus_admin, with no conditions or scripts
    • bonus: read for role salary_admin, with a script (note that it doesn't matter what's in the script, only that it's there)
    		 A user with the salary_admin role is granted read access to total, because they have the required role for all fields.

    But the same user with the salary_admin is refused report_view access, because the read ACL with the script refuses access by default for this case, even though they have the required role.