Row access control
Row access control and access control mechanisms let you to restrict user's access to data.
Access control describes when a user can see or edit particular columns in tables without considering the state of records. Row access control operates at the level of records, defining which records a user can see.
Row access control works at the database level. Every database request is wrapped in the additional conditions by the InstaDB engine before is passed to the database engine. So this mechanism is the one recommended (together with access control) for providing secure control over users access.
Working with row access control
When you switch the row access control, you have to choose one of it's modes: None or All. The first one blocks access to all records in all tables (unless some specific rule says something different), the second one allow access to all records (what also can be restricted by a set of exceptions). Usually the first option is recommended as more convenient.
The Tables section is the place, when you can define set of exceptions for None/All general rule.
You can add as many exceptions to the general rule as many tables in is in the schema. So it is possible to create only a single exception for a table. Of course the exception definition can be composed of multiple rules to cover all possible cases. It is described in details in the further part of this chapter.
General rule exceptions
To add an exception to the general row access rule you need to specify which table it applies to. TO do it just select the table in the Name Section. You can add only one exception for a table.
The next part of an exception definition is a set of Rules. It is possible to define any number of rules regarding the table.
Row access control table rules
A table rule is described by two elements:
Roles,
Row access.
Roles describes the set of user roles, for which the rule is applied. There are two possible states:
-
All means that the rule applies for all users;
-
One of is an enumeration of roles, for which the rule is defined; it is possible to add any number of roles here.
Row access defines the condition a record must fulfil to be accessible to a user. It can be defined in two ways:
-
by selecting All option - then it applies to all records;
-
by defining an Expression, which determines if the access is granted or not; it is possible to write any kind of expression here; the expression editor may be helpful.
To summarize, the access is granted according to a rule when user fulfils the condition specified in Roles section (belongs to at least one role listed there) and in the same time record fulfils condition specified in Row access section.
Note: row access control table rules are cumulative, so if one rule forbids access to a record and in the same time some other rule allows it then the permission will be granted to a user.