Restricting access to particular rows through Views

John SooHoo

Restricting access to particular rows through Views

Hello, I checked the manuals and just wanted to confirm if my understanding is right.

My user wants to provide Select table access to certain users but restrict (prevent) access to certain rows (identifiable by key).

The Managing Security manual notes that views may be problematic for Insert, Update and Delete.  In my case, only Select is involved.

And the other issue mentioned in the manual of accountability or auditability of access of those restricted rows is, I believe, not an issue for my user (awaiting confirmation).

If my user confirms this, is there any reason to go with Multilevel Security and the set up involved (RACF and security labels and populating them appropriately, etc.)?  I am thinking the KISS principle might apply.

Thanks in advance.

 

 

 

Roy Boxwell

Restricting access to particular rows through Views
(in response to John SooHoo)
Stick with a VIEW if you possibly can! The overhead of the MLS can be a real killer…and the setup pain…

Roy Boxwell

SOFTWARE ENGINEERING GMBH and SEGUS Inc.
-Product Development-

Heinrichstrasse 83-85
40239 Duesseldorf/Germany
Tel. +49 (0)211 96149-675
Fax +49 (0)211 96149-32
Email: [login to unmask email]<mailto:[login to unmask email]>
http://www.seg.dehttp://www.seg.de

Software Engineering GmbH
Amtsgericht Düsseldorf, HRB 37894
Geschäftsführung: Gerhard Schubert, Bettina Schubert

From: John SooHoo [mailto:[login to unmask email]
Sent: Thursday, March 23, 2017 10:06 PM
To: [login to unmask email]
Subject: [DB2-L] - Restricting access to particular rows through Views


Hello, I checked the manuals and just wanted to confirm if my understanding is right.

My user wants to provide Select table access to certain users but restrict (prevent) access to certain rows (identifiable by key).

The Managing Security manual notes that views may be problematic for Insert, Update and Delete. In my case, only Select is involved.

And the other issue mentioned in the manual of accountability or auditability of access of those restricted rows is, I believe, not an issue for my user (awaiting confirmation).

If my user confirms this, is there any reason to go with Multilevel Security and the set up involved (RACF and security labels and populating them appropriately, etc.)? I am thinking the KISS principle might apply.

Thanks in advance.







-----End Original Message-----

John SooHoo

RE: Restricting access to particular rows through Views
(in response to Roy Boxwell)

Thank you, Roy.

I was suspecting this but wasn't sure if I might be missing something.

Thanks again.

 

John

Peter Vanroose

RE: Restricting access to particular rows through Views
(in response to John SooHoo)

Two small comments, just in case it would be useful:

- Make sure you don't grant access to the underlying table, just to the view.
- The WHERE condition of a view definition can also refer to e.g. the register named "USER" (the ID of the user selecting from the view), which can make the viewed rows user-dependent.

--      Peter Vanroose
        ABIS Training & Consulting,
        Leuven, Belgium.
        http://www.abis.be/

Shay Miller

RE: Restricting access to particular rows through Views
(in response to John SooHoo)



In Reply to John SooHoo:

...

The Managing Security manual notes that views may be problematic for Insert, Update and Delete.  In my case, only Select is involved.

... 

 

If the view isn't read only (see manual for details when it's considered read only ) you can do DML (INSERT/UPDATE/DELETE) against it.

 

if it's read only , most of the issues can be addressed with INSTEAD OF triggers.

 

Shay.