Data roles
Data roles, also called entitlements, are sets of permissions defined per virtual database that specify data access permissions (create, read, update, delete). Data roles use a fine-grained permission system that Teiid Spring Boot will enforce at runtime and provide audit log entries for access violations.
Before you apply data roles, you might want to restrict source system access through the fundamental design of your virtual database. Foremost, Teiid Spring Boot can only access source entries that are represented in imported metadata. You should narrow imported metadata to only what is necessary for use by your virtual database.
If data role validation is enabled and data roles are defined in a virtual database, then access permissions will be enforced
by the Teiid Spring Boot server. The use of data roles may be disabled system wide by removing the
setting for the teiid
subsystem policy-decider-module. Data roles also have built-in security functions
that can be used for row-based and other authorization checks.
Warning
|
A virtual database that is deployed without data roles can be accessed by any authenticated user. |
Tip
|
By default, non-hidden schema metadata is only visible over JDBC/pg if the user is permissioned in some way for the given object.
OData access provides all non-hidden metadata by default.
To configure JDBC/pg to also make all non-hidden schema metadata visible to all authenticated users,
set the environment/system property org.teiid.metadataRequiresPermission to false.
|