Prev  Up  Next
Chapter 12. Link Your Scopes and Security Contexts (STEP 5)  Home  Chapter 14. Create Initial Privileges (STEP 7)

In your database, you are likely to have a hierarchy of scopes. What this means is that one scope is contained within another. For instance a project scope might be contained within the department scope of the department that owns the project. This hierarchy is used in 2 ways:

  • for scope promotions;
  • for determining access rights to data within inferior scopes.

Determining which scopes may be promoted to which other scopes is done through the superior_scopes view. This identifies, for each scope, what directly superior scopes exist. It does not identify global scope, and does not require a recursive query to identify grandparent scopes etc. These are handled elsewhere.

You will need to create a custom version of the superior_scopes view. This is done (as described here) by creating an over-riding custom view named my_superior_scopes. The provided Veil2 base version of this view is simply a placeholder.

You will define this view as the union of a number of selects. Each select will represent a single type of superior scope. The following example is from the demo. See STEP 6 in the file demo/veil2_demo--0.9.1 (beta).sql.

create or replace
view veil2.my_superior_scopes (
  scope_type_id, scope_id,
  superior_scope_type_id, superior_scope_id
) as
select 4, party_id,  -- Promote org to corp scope
       3, corp_id
  from demo.parties_tbl -- No join needed to scopes as party_id == scope_id
 where party_type_id = 2
union all
select 4, party_id,  -- Promotion of org to higher org
       4, org_id
  from demo.parties_tbl
 where party_type_id = 2
   and party_id != org_id  -- Cannot promote to self
union all
select 5, s.scope_id,   -- Project to corp promotions
       3, p.corp_id
  from demo.projects p
 inner join veil2.scope_links s
    on s.project_id = p.project_id
union all
select 5, s.scope_id,   -- Project to org promotions
       4, p.org_id
  from demo.projects p
 inner join veil2.scope_links s
    on s.project_id = p.project_id;
      

Note that if you have something like an organizational hierarchy in which you want someone that is assigned a role in an organizational context, to automatically have those rights in all subordinate organizational contexts, you will need to define scope promotions within that hierarchy. This is done by the second query in the above union.

Any time you redefine this view you should call veil2.init() to update the base definition and refresh the materialized views that depend on it.

If your scope hierarchy changes in a way that could affect the privileges that might be assigned to accessors, you should refresh all materialized views and caches. Since determining what sort of updates might require this is somewhat complicated, we recommend that any change that would result in the veil2.superior_scopes view returning different data should result in a full refresh of all materialized views. For this you should call the trigger function veil2.refresh_scopes_matviews().

It is assumed that such changes will be rare but if this is not the case, and you encounter a performance penalty from having the veil2.accessor_privileges_cache cache table repeatedly cleared, you may be able to, instead of truncating that table, selectively delete records based on the session contexts that are affected by your changes. Our recommendation is not to tackle this until you know that you have a problem. By then you should have enough local Veil2 expertise that you can easily figure out what to do.


Prev  Up  Next
Chapter 12. Link Your Scopes and Security Contexts (STEP 5)  Home  Chapter 14. Create Initial Privileges (STEP 7)