JBoss.orgCommunity Documentation
Data roles, also called entitlements, are sets of permissions that are defined
per VDB that dictate data access (create, read, update, delete). The use of data roles is controlled system wide with the property in
<jboss-install>/server/<profile>/deploy/teiid/teiid-jboss-beans.xml file
in bean configuration section of RuntimeEngineDeployer with property useEntitlements.
Once data roles are enabled, the access permissions defined in a VDB will be enforced by the Teiid Server.
To process a SELECT statement or a stored procedure execution, the user account requires the following access rights:
READ - on the Table(s) being accessed or the procedure being called.
READ - on every column referenced.
To process an INSERT statement, the user account requires the following access rights:
CREATE - on the Table being inserted into.
CREATE - on every column being inserted on that Table.
To process an UPDATE statement, the user account requires the following access rights:
UPDATE - on the Table being updated.
UPDATE - on every column being updated on that Table.
READ - on every column referenced in the criteria.
To process a DELETE statement, the user account requires the following access rights:
DELETE - on the Table being deleted.
READ - on every column referenced in the criteria.
Data roles are defined inside the vdb.xml file (inside the .vdb Zip archive under META-INF/vdb.xml) if you used Designer.
This example will show a sample "vdb.xml" file with few simple data rules.
For example, if a VDB defines a table "TableA" in schema "modelName" with columns (column1, column2) - note that the column types do not matter. And we wish to define three roles "RoleA", "RoleB", "RoleC" with following permissions:
RoleA has privileges to read, write access to TableA, but can not delete.
RoleB has no privileges that allow access to TableA
RoleC has privileges that only allow read access to TableA.column1
Example 7.1. vdb.xml defining RoleA, RoleB, and RoleC
<?xml version="1.0" encoding="UTF-8"?>
<vdb name="sample" version="1">
<model name="modelName">
<source name="source-name" translator-name="oracle" connection-jndi-name="java:myDS" />
</model>
<data-policy name="RoleA">
<description>Allow all, except Delete</description>
<permission>
<resource-name>modelName.TableA</resource-name>
<allow-create />
<allow-read />
<allow-update />
</permission>
<permission>
<resource-name>modelName.TableA.colum1</resource-name>
<allow-create />
<allow-read />
<allow-update />
</permission>
<permission>
<resource-name>modelName.TableA.column2</resource-name>
<allow-create />
<allow-read />
<allow-update />
</permission>
<mapped-role-name>role1</mapped-role-name>
</data-policy>
<data-policy name="RoleC">
<description>Allow read only</description>
<permission>
<resource-name>modelName.TableA</resource-name>
<allow-read />
</permission>
<permission>
<resource-name>modelName.TableA.colum1</resource-name>
<allow-read />
</permission>
<mapped-role-name>role2</mapped-role-name>
</data-policy>
</vdb>The above XML defined two data roles, "RoleA" which allows everything except delete on the table, "RoleC" that allows only read operation on the table. Since Teiid uses deny by default, there is no explict data-policy entry needed for "RoleB". The "mapped-role-name" defines the "role" to whom these policies are applicable. Each data-policy must define a "role" to be enforced by the Teiid Server.
For assigning the roles to your users, in the JBoss AS, check out the instructions for the selected Login Module. Check "Admin Guide" for configuring Login Modules.
"vdb.xml" file is checked against the schema file vdb-deployer.xsd, check the documents sections of the Teiid kit
to find a copy of the schema file.
Currently there is no GUI tooling support in the Designer or any other management tool to create this data roles permissions xml, however this is in our roadmap for future releases to provide.