This content has been marked as final. Show 4 replies
Can I infer from your post that you're employing your security filters via a Studio SecurityManager extension? If so, there is no reason that you can use this extension to apply a security filter which uses a boolean "AND" operator between your two mandatory conditions (ie. viewmetadata="true" AND viewrecord="true").
Please see chapter 2 of the StudioDevelopmentGuide --> http://docs.oracle.com/cd/E29805_01/StudioDevGuide.pdf for creating a custom SecurityManager
Please see information related to DataSourceFilters in the StudioUsersGuide for info on syntax --> http://docs.oracle.com/cd/E29805_01/StudioUsersGuide.pdf
Thanks for the reply.
Yes, we are are using the concept in SecurityManager to apply the security filters.
We have found an issue using mutiple security filter with "AND" operator.
Record1: Title="Fire" Content="Fire" Viewmetadata="true" Viewrecord="true"
Record2: Title="Fire" Content="Fire" Viewmetadata="true" Viewrecord="false"
Record3: Title="water" Content="Fire" Viewmetadata="true" Viewrecord="false"
If an user has perimission to view meta data for all three records & can view content of only record1 and the user searches for "Fire" we want back Record1&Record2.
But record2 should only get searched in "Title" field because user don't have permission to view the content.
So if we apply "AND" operator in this situation we only get back record1.
The issue we are facing here is, we have to make the search only happens in,
1. both (title and content) if user has permission to view metdata and view record
2. only title if user has permission to view metdata only.
Please provide your suggestion on this.
Your requirements are a mixture of record/row-level security (which records can I see) and attribute/field-level security (which attributes can I see and search). The focus of the Security Manager extension and default implementation is on record-level security.
In terms of restricting searchability of attributes or sets of attributes, this can be achieved through the use of Search Interfaces. These aggregate attributes into a single search, however you won't be able to automatically bind users to Search Interfaces, although you may be able to achieve this manually through multiple search portlets and portlet permissions. The same applies for the actual display of attributes.
Thanks for the reply. Yes we want to limit the number of fields getting searchED and it will vary per record for a given query.
For example, For record 1 => search in Title & content and for record 2 => search in only Title.
Because for record 2, user may not have permission to view the content.
The one way of achieving this use case.
1. Create search interface for Title field and search in all the records for which user has the permission to view the meta data
2. Create search interface for Content and search in all the records for which user has the perimission to view the content
3. In the UI code, aggregate the results from two different queries
But with this approach, the result aggregation, pagination have to be done through code. So is there an another way to handle this use case(whether engine can handle aggregating the results)?.
Please provide your suggestions.