Skip to main content

Setting Up Row-Level Security

Setting Up Row-Level Security

To enable row-level security for a table, edit the definition of the class from which the table is projected.

  1. In the class definition code, set the value of ROWLEVELSECURITY to 1, such as:

    ROWLEVELSECURITY = 1;

    This definition for the parameter means that row-level security is active and that the class uses the generated %READERLIST property to store information about users and roles with authorized access to the row.

    Alternatively, you can define the parameter as follows:

    ROWLEVELSECURITY = rlsprop;

    Where rlsprop is the name of a property in the same class. This alternative means that row-level security is active and that the class uses the given property to store information about users and roles with authorized access to the row. In this case, also add an index to the class as follows:

    Index %RLI On rlsprop;

  2. Define a %SecurityPolicy() class method, which determines and specifies the role and usernames that are permitted to select the row, subject to view and table SELECT privileges.

    The structure of the %SecurityPolicy() method is:

    ClassMethod %SecurityPolicy() As %String [ SqlProc ]
{
    QUIT ""
}

    Its characteristics are:

    • It is a class method with the required name %SecurityPolicy.

    • It returns a string (type %String).

    • It takes zero or more arguments. If this method takes any arguments, each must match a property name in the class and they must all be distinct from each other.

    • The SqlProc keyword specifies that the method can be invoked as a stored procedure.

    • The QUIT statement of the method returns the users or roles that may view the row. If there is more than one user or role, QUIT must return a comma-separated list of their names. Returning the null string (as in the example) specifies that the row is visible to all users who hold the SELECT privilege on the table.

    Important:

    A user who is assigned to the %All role does not automatically have access to rows in a table that are protected with row-level security. If %All is to have access to such a row, the %SecurityPolicy() method must explicitly specify this.

  3. Compile the class and any dependent classes.

Next sectionAdding Row-Level Security to a Table with Existing Data
FeedbackOpens in a new tab