How do you implement column level security? For example, if you do not want the sales reps to see the profit column, what rules do you use?
First, choose which columns in the cBase are sensitive, and restrict those columns with restrict-columns.
NOTE: You can use only one restrict-columns tag within a cbase-access tag. Multiple allow-columns tags are allowed, so you can allow access to restricted columns for specific users, groups, or those with a certain property applied.
For example, here three columns are restricted:
cbase-access {
restrict-columns "Profit" "Secret Number" "Password"
...
Second, add rules that allow access to the columns to certain people by using condition statements. You can specify who can access each column based on user, group, or property values. For example, the following script allows access if the Role property value is either Manager or CEO:
cbase-access {
restrict-columns "Profit" "Secret Number" "Password"
allow-columns "Profit" {
if-property "Role" "Manager" "CEO"
}
}
Or if the user is Steve:
cbase-access {
restrict-columns "Profit"
allow-columns "Profit" {
if-property "Role" "Manager" "CEO"
}
allow-columns "Profit" {
if-user "Steve"
}
}
...
See also:
- Managing Properties
- Assigning Properties to Users and Groups
- Access Control File Code Block