Data roles
Data roles, also called entitlements, are sets of permissions defined per virtual database that specify data access permissions (create, read, update, delete). Data roles use a fine-grained permission system that Teiid will enforce at runtime and provide audit log entries for access violations. See Logging and Custom Logging for more.
Before you apply data roles, you might want to restrict source system access through the fundamental design of your virtual database. Foremost, Teiid can only access source entries that are represented in imported metadata. You should narrow imported metadata to only what is necessary for use by your virtual database.
If data role validation is enabled and data roles are defined in a virtual database, then access permissions will be enforced
by the Teiid server. The use of data roles may be disabled system wide by removing the
setting for the teiid
subsystem policy-decider-module. Data roles also have built-in security functions
that can be used for row-based and other authorization checks.
Warning
|
A virtual database that is deployed without data roles can be accessed by any authenticated user. If you want to ensure some attempt has been made at securing access, then set the data-roles-required configuration element to true via the CLI or in the standalone.xml on the teiid subsystem. |
Tip
|
By default, non-hidden schema metadata is only visible over JDBC/pg if the user is permissioned in some way for the given object.
OData access provides all non-hidden metadata by default.
To configure JDBC/pg to also make all non-hidden schema metadata visible to all authenticated users,
set the environment/system property org.teiid.metadataRequiresPermission to false.
|