Field Level Security

Field Level Security can be applied for the fields returned by client-visible operations (i.e. operations of the Facade class). It is only relevant to operations of a client-visible operation (defined in a Facade class).

In Rational Software Architect the Secure Fields properties tab of the Facade class operation allows you to apply security to any field returned by an operation by specifying a security identifier (SID) for that field.

To establish secure returned fields for an an operation use the Secure Fields button from the properties tab for the operation. Clicking the SID Name cell for the returned Field Name allows you to enter the security identifier (SID). The maximum length of a security identifier is 100 characters.

The client infrastructure will then ensure that fields for which a SID has been specified can only be viewed by users to whom that SID has been granted. Fields for which no SID has been specified will be visible to all users.

All the information about Field Level Security - which SID is assigned to a field - is written by the generator to an XML file and is loaded into database table FieldLevelSecurity by the Data Manager. The Data Manager configuration file datamanager_config.xml must be changed to reference the generated file <ProjectName>_FieldsReturned.xml. This can be done by adding an entry to the initial target as shown in Field Level Security below.

Figure 1. Sample datamanager_config.xml for adding field level security information to the database
<target name "initial"
<entry
  name="build/svr/gen/ddl/<ProjectName>_Fids.xml"
  type="xml" base="basedir" />
<entry
  name="build/svr/gen/ddl/<ProjectName>_FieldsReturned.xml"
  type="xml" base="basedir" />
</target>

Once the field names and SIDs have been added to the FieldLevelSecurity table, the SIDs should be loaded into the SecurityIdentifier to enable them to be assigned to groups. This can be done using the database command shown in Field Level Security below.

Figure 2. Inserting field level security SIDs into the infrastructure SecurityIdentifier table
INSERT INTO SecurityIdentifier(sidName, sidType, versionNo)
  SELECT DISTINCT sidName, 'FIELD', 1 from FieldLevelSecurity
  WHERE sidName IS NOT NULL;

These SIDs can then be assigned to user groups using the Security Administration console.

Parent topic: Operation Options