Restrict IDOL Server Database Access

You can restrict access to individual IDOL server databases by creating privileges and associating them with IDOL server roles. Only users who belong to a role with the necessary privileges can query an IDOL server database. This provides an efficient front-end driven security mechanism that only queries data stored in databases the user is permitted to view.

To restrict a role’s access to specific databases

  1. Add a privilege to IDOL server by sending a RoleAddPrivilege action from a browser.

    For example:

    http://localhost:9000/action=RoleAddPrivilege
                                       &Name=Databases
                                       &SingleValue=false

    This example creates a multivalued Databases privilege in the IDOL server.

  2. Add the privilege to a role, and specify a value for it.

    For example:

    http://localhost:9000/action=RoleSetPrivilegeForRole 
                                       &RoleName=Marketing
                                       &Privilege=Databases
                                       &Value=News,Markets,Sales

    This example adds the Databases privilege to the Marketing role. The Databases privilege has the value News,Markets,Sales.

  3. Set up the front-end application to identify a user’s privileges when the user logs on to the system.

    For example:

    http://localhost:9000/action=RoleGetUserPrivilegeValueList
                                       &UserName=JSmith
                                       &Privilege=Databases

    If the user JSmith has been added only to the Marketing role, the result this action returns specifies that the user’s Databases privilege has the value News,Markets,Sales.

  4. The front-end application can now include the Databases privilege’s values in queries this user sends to IDOL server. To specify databases to which a query is restricted, for example, the front end should add the DatabaseMatch parameter to the query it sends, and set it with the value that the RoleGetUserPrivilegeValueList action returned.

    For example:

    http://localhost:9000/action=Query
                                    &Text=2003 marketing campaigns in Europe
                                    &DatabaseMatch=News,Markets,Sales

    In this example, the query specified is applied to the News, Markets and Sales databases.

NOTE:

You can use the DatabasePrivilege parameter in the [Roles] section of the IDOL server configuration file to specify a privilege that defines which databases all roles can access. The role to which all users belong by default is specified by the DefaultRolename parameter in the [Roles] section of IDOL server’s configuration file. This parameter is set to the everyone role by default.

NOTE:

Every time IDOL server is restarted, the databases that can be queried by the default role (specified by the DefaultRolename configuration parameter) are reset to include all databases. You can override this behavior and persist the databases that can be queried by the default role by setting AutoSetDatabases=False.


_HP_HTML5_bannerTitle.htm