ACL control of function fields

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of ACL Control of Function Fields

    In the Washington DC release and later, access control lists (ACLs) for function fields now require not only access to the function field itself but also to all contributing fields. Contributing fields are those referenced in the function's definition, enhancing security by ensuring users can only access data they are authorized to view.

    Show full answer Show less

    Key Features

    • Access Evaluation: The system checks access to both the function field and its contributing fields when a user attempts to read or report on the function field.
    • Operations Affected: The new requirement affects the read and reportview operations.
    • Read Operation: Users must have read access to both the function field and all contributing fields.
    • Report View Operation: Users need reportview access to the function field and each contributing field, along with specific role requirements.

    Key Outcomes

    As a result of these changes, users can expect stricter access controls that help prevent unauthorized data access. For example, if access to any contributing field is denied, access to the function field will also be denied. This enhances data security and ensures compliance with organizational policies.

    When evaluating access to a function field, in addition to checking access to the function field itself, the system also checks access to the function's contributing fields. Contributing fields are those used as the arguments in a given function definition.

    For more information about function fields, see Function field.

    In Rome and earlier, the system simply checks access to the function field itself (as with any other field). If the ACLs on that field allow access, the user receives the resulting value, regardless of whether the user has access to the contributing fields.

    In Washington DC and later, the system also requires access to all contributing fields in order to allow access to the function field. If one or more of the contributing field ACLs refuse access, the function field also refuses access.

    The only operations affected by the new requirement are read and report_view. Report_view has its own additional requirements.

    Operation Description
    read operation A user has read access to a function field only if both of the following are true:
    • The user has read access to the function field.
    • The user has read access to all of the contributing fields used in the function.
    report_view operation A user has report_view access to a function field only if all of the following are true:
    • The user has report_view access to the function field.
    • The user has report_view access to each of the contributing fields.
    • There is a role-only read ACL without conditions and without a script, and the user has that role.
    • The user has role-only read access to the contributing fields, such that only ACLs without condition or script can allow.

    Examples

    Given:
    • Table: salary
    • Columns: base, bonus, total (all are Integers in this example)
    • Function field: The total column is marked as a function field, with function definition glidefunction:add(base, bonus).
    • Contributing fields: base and bonus, since they're used in the function definition
    • Roles: salary_admin, bonus_admin
    Table 1. Example 1: All fields allow access
    ACLs Result
    total, base, bonus: read and report_view for role salary_admin, with no conditions or scripts A user with the salary_admin role is granted read and report_view access to total because they have the required role.
    Table 2. Example 2: Contributing field refuses read access
    ACLs Result
    • total, base: read and report_view for role salary_admin, with no conditions or scripts
    • bonus: report_view for role salary_admin , with no conditions or scripts
    • bonus: read for role bonus_admin, with no conditions or scripts
    		 A user with the salary_admin role is refused read and report_view access to total, because bonus refuses read access to their role.
    Table 3. Example 3: Contributing field ACL has script
    ACLs Result
    • total, base: read and report_view for role salary_admin, with no conditions or scripts
    • bonus: report_view for role bonus_admin, with no conditions or scripts
    • bonus: read for role salary_admin, with a script (note that it doesn't matter what's in the script, only that it's there)
    		 A user with the salary_admin role is granted read access to total, because they have the required role for all fields.

    But the same user with the salary_admin is refused report_view access, because the read ACL with the script refuses access by default for this case, even though they have the required role.