Skip to main content

Database Access Control

There are two kinds of permissions used by the Database REST API : branch permissions and table permissions. They are independent and defined separately : the table permissions are not specific to a branch.

These permissions are sets of usernames or roles. If a user has his name or one of his roles in the set then he has the permission.

To do an action a user need both permissions :

  • To read a field one needs the read permission on this field of the table and to be a reader of the branch
  • To update a field one needs the write permission on this field and to be owner of the branch
  • To insert/delete a line in a table, one needs the write permission on all the fields of the table, to be owner of the branch and the insertion/deletion must be activated in this table.

When discovering a table using the REST API, the result contains canEdit, canInsert and canUpdate fields. These fields are user specific : the value depends on the global table permissions and the user permissions.

Table and Field Permissions

The permissions can be defined at the table level or at the field level for more detailed permissions. Each field has 2 sets : readers and writers. Giving the permission to a table is equivalent to giving the permission for each field of that table.

Additionally each table can support insertion and deletion via the REST API. This means that a user that has WRITER permissions on each field of the table can insert or delete rows.

These permissions are stored in a ITableSecurity which can be built like that :

TableSecurityBuilder.startBuildingTableSecurity()
    .supportInsertion()
    .supportDeletion()
    .withTableWriters(ROLE_ADMIN)
    .withTableReaders(ROLE_USER)
    .addFieldPermission("currency", Collections.emptyList(), Arrays.asList(ROLE_USER))
    .build();

This table supports deletion and insertion. ROLE_ADMIN can read and edit all the fields. ROLE_USER can read all the fields but only update the currency field, which means that he is not allowed to insert or delete rows.

Branch permissions

The branch permission manager controls the accesses to both the database and the cube.