1 Reply Latest reply on Nov 30, 2009 11:17 AM by Ramesh Reddy

    Is Teiid the right solution for my data security control?

    Charles Villemure Newbie

      Hi,

      We currently have a solution that manage security on module level (users can or cannot access specific pages in the application). We now face a new demand where we have to filter the data that users can view inside thoses pages. So we still have to manage what user can access what pages (already handled by our application) but we now want to control what users can create/read/update/delete the data inside those pages.

      As of Teiid 6.2, I've read that the server solution enable the possibilty to assign roles to group, to control data access. At first it seems like it fits my need, but as far as I can tell, it seems like the authorisation is based on the user that is currently connected to the database (correct me if i'm wrong). I would like to be able to use only one user to connect to the database (VDB here) but filter the query result based on the user that make theses queries.

      We also plan to have the needs to integrate data from multiple source (SQL Server, PostgreSQL, etc) so if Teiid can be used for our security needs, it would then be simple to use it's base functionnality to cover our futur need of integrating data from multiple sources.

      Can someone tell me if it's possible to use Teiid for my specific need (only one user connected to the data source (VDB) but data filtered based on the user who makes the query (other parameter passed along with the query?)), and if not do you know any other open source framework to manage data-level security?

      Thanks for your help,

      Charles

        • 1. Re: Is Teiid the right solution for my data security control
          Ramesh Reddy Master

           

          "chalz" wrote:

          As of Teiid 6.2, I've read that the server solution enable the possibilty to assign roles to group, to control data access. At first it seems like it fits my need, but as far as I can tell, it seems like the authorisation is based on the user that is currently connected to the database (correct me if i'm wrong).

          That is correct. The security is role based, which is determined by the logged in user's group.

          "chalz" wrote:

          I would like to be able to use only one user to connect to the database (VDB here) but filter the query result based on the user that make theses queries.

          The user who is logged in to the Teiid, is the one who is making the queries, so I do not think that is possible.

          What I understand from your post is, in your application you handle login for different uses, but you probably have single identity connection pool for Teiid, where you would like to push the identity of the original user on to the Teiid. Currently we do not allow identity switching on existing connection, see https://jira.jboss.org/jira/browse/TEIID-192, this is currently slated for 7.1 release. If you need this feature you can vote for this, we will see if we can bump in priority for this feature.

          However, meanwhile if you can create a connection pool based on the original user's credentials who logged into your application you can solve this issue.

          Also 7.0 release Teiid Server is moving to use JBoss AS to host Teiid engine, where you could *possibly* use the single sign-on if your application already uses JBoss.

          "chalz" wrote:

          We also plan to have the needs to integrate data from multiple source (SQL Server, PostgreSQL, etc) so if Teiid can be used for our security needs, it would then be simple to use it's base functionnality to cover our futur need of integrating data from multiple sources.

          Data integration is our primary feature, so this can be done, given you can map your security requirements along the way I suggested.