Resource Privileges
Privileges determine which groups and users are able to view or act upon data from defined resources using the TDV suite of products. Privilege specification provides a comprehensive security layer to safeguard access to resources defined within TDV.
No default privileges are granted for newly defined resources, except to administrators, the resource owner, and users with the Modify All Resources right so that object ownership rights to grant privileges can be controlled solely by selected users.
Privileges can be assigned to an entire domain, selected groups, or individual users. Privileges can be set for any object exposed through TDV: containers (folders or parent objects) and individual resources, down to individual table columns. Privileges can be propagated to subordinate objects (child objects or dependent objects).
If you restrict access to a view in the published layer, the shared area, and in the introspected data source, the column has the same restrictions.
This section contains:
Initial Default Resource Privileges in Studio
By default, every object resource defined in Studio is initially created with full privileges for the object creator. Except for administrative users and users with Modify All Resources rights, no other users are granted privileges on new resources unless those privileges are added later—added either to users or to the groups to which they belong.
Default Read privileges are given to members of the all group in the composite domain for all sample resources, system resources, and parent containers of those resources.
Any user who is part of an LDAP domain is automatically given access to the objects that belong to the all group in the composite domain.
By default, anonymous users and users in the dynamic domain are disabled in the TDV installation. They must be explicitly enabled.
The following is a summary of default privileges assigned to system resources.
Studio Tree Category | Default Resource Privileges |
Group: All | Anonymous | Dynamic |
localhost | Read |
services | Read |
databases | Read, Write | Read | Read |
databases > system | Read |
databases > system > <table> | Select |
webservices | Read, Write | Read | Read |
webservices > system | Read |
lib | Read |
lib > debug | Read |
lib > resources | Read |
lib > services | Read |
lib > services > <specific_service> | Read, Execute |
lib > sources | Read |
lib > users | Read |
lib > util | Read |
shared | Read, Write | Read | Read |
shared > examples | Read, Execute, Select |
users | Read | None | None |
users > composite | Read | None | None |
Resource Ownership and the Grant Privilege
Each resource in TDV has an owner. The user who creates a resource is initially the default owner. An owner of a resource automatically has all privileges on that resource.
The resource owners can define privileges for groups and users who need to view, access, and use a resource. Privileges can be defined for a parent object in the TDV directory and they can be applied to child resources and subfolders recursively. Child object resources are not available or even visible to users who do not have Read privileges on all of the resource’s parent containers. The owner or administrator has the option to grant or revoke privileges on the owned resource at any time. The owner can revoke his own privileges (for example, to prevent accidental deletion of data), and later re-grant those privileges. A user who is given ownership of a resource can share all the privileges of ownership by giving the Grant privilege to other users or groups. Users who are not administrators or owners of the resource cannot change those privileges.
Administrators, users or groups with the Modify All Resources right can:
• See all resource definitions and associated privileges.
• Assign or remove privileges of groups and users.
• Change the owner of a resource from Studio’s Administration menu.
• Change privileges on all resources that they have access to view, but they might not have access to read all resources.
Note: For resources that are likely to be called and invoked by other resources, you can give the Grant privilege to distribute access to other developers.
Assignment of Privileges
We recommend that you assign privileges by groups rather than by individual users. This style of access control lets future developers manage large numbers of users by adding them to or removing them from groups that combine easily understood sets of role-based privileges.
For LDAP domains, set the privileges for all members in the group at the same time, because individual members of the domain do not appear until they have logged into the system for the first time.
For the composite or dynamic domain, you can increase control by creating additional groups to manage subsets of rights and privileges from the Manager. For the LDAP domain, you must use the LDAP tools to modify groups and their rights.
The following shows a typical privileges dialog for a resource with both implicit privileges (those assigned by group definitions) and explicit privileges (those assigned directly to a user or group). Privileges assigned explicitly are shown by a green check mark. An amber check mark shows privileges assigned implicitly (acquired by either group membership or possession of a right like Modify All Resources).
Container and Resource Privileges
Privileges fall into two groups, design-time and run-time. Read privilege belongs to both groups, and must be granted to users for all enclosing containers (parent or folder objects) of the resource the user wants to access or manipulate.
Read, Write, and Grant are design-time privileges that determine access to objects for users of TDV and other TDV components.
Read, Execute, Select, Insert, Update, and Delete are run-time, data manipulation privileges that determine resource security for client-interface access to data through TDV.
The following tables describe what can and cannot be done with different combinations of privileges. In the table, an X means that the privilege is granted on the resource, and N/A means that the privilege is not applicable to the resource.
Privileges and Resources | What User Can Do with Resource or Container |
Read | Write | Execute | Select | Update | Insert | Delete | Grant |
All resources |
| | | | | | | | Not view, modify, or add resources to it. |
X | | | | | | | | View but not modify it. |
X | X | | | | | | | View, modify, delete, move, reconfigure, rename, or create resources inside of it. |
Folders, data sources, published databases, catalogs, schemas, TDV Web services (and their services, operations, and ports) |
X | X | X | X | X | X | X | X | View, modify, query, delete, move, reconfigure, rename, and execute. |
Tables, source privileges (second tab for published database resources), views |
X | X | N/A | X | X | X | X | X | View, modify, delete, move, rename, reconfigure, or query it. |
Columns |
X | X | N/A | X | X | N/A | N/A | X | View, modify, run select, run update. |
SQL Script procedures, Java procedures, packaged queries, XSLT and XQuery procedures, parameterized queries, transformations |
X | X | X | N/A | N/A | N/A | N/A | X | View, modify, delete, move, reconfigure, rename, and execute. |
Published database resources (which have a second tab for source privileges), Web service definitions, triggers, definition sets, models |
X | X | N/A | N/A | N/A | N/A | N/A | X | |
Column-Bevel Restrictions on Privileges
Column-bevel restrictions set in TDV exhibit different behavior when the resource is accessed through a client interface, depending on whether the restriction is set for a table or for a view.
Restriction Set For | When the User Accesses Through a Client Interface... |
Table | The restricted column and metadata does not appear through the client interface, and an access error is generated. |
View | The restricted column and/or metadata does not appear through the client interface. |
About Managing Dependency Privileges
Managing privilege settings for resources can become complex when many data resources contribute to the output of a resource. When resources use another resource, every prospective user and group must have adequate privileges to access and invoke those dependencies.
Even if a Studio developer has the privilege of using and viewing a dependency resource, that person might not be able to assign privileges on resource dependencies to other users and groups.
At run time, when using resources contained within other resources, the Read privilege must be present in all parent containers.
Privileges Required for Resource Dependencies
When a resource has a dependency, the user who requests the view or invokes the procedure must have privileges to view the dependency, and to Select or Execute to retrieve data from the dependent resource.
Note: You can use the lineage feature in Studio to learn about the resource relationships, dependencies, and references. See “Exploring Data Lineage” in the TDV User Guide.
For example, a user might want to see the data of View_A, where View_A executes Procedure_B (which draws on data from physical source Table_D) and also selects from physical source Table_C. To perform a SELECT on View_A, the user needs these privileges.
On the Resource | Privilege Required |
All parent containers of View_A, Procedure_B, Table_C, Table_D | Read |
View_A, Table_C, Table_D | Select |
Procedure_B | Execute |
Setting and Viewing Privileges
Privileges can be assigned to selected groups or individual users. Privileges can be set for an entire folder, including all child objects. Privileges let you restrict access and changes to data down to individual table columns.
When a privilege is granted to a user, the corresponding privilege check box is selected in the panel. See
Container and Resource Privileges.
• Select is offered, but not Execute, if the resource is a view. Execute is offered, but not Select, if the resource is a procedure.
• Studio presents all privileges when you edit the privileges on a container, even though only Read and Write are relevant to a container.
• The Properties window for a published resource has a tab named Privileges (for the published object) and another tab named Source Privileges (for the corresponding unpublished object). Only the unpublished object can be given the Execute privilege.
Individual LDAP users can be directly assigned rights and privileges for any resource, but only after they appear in the TDV system.
When designing client interface applications, you might experience difficulties with resource availability and access privileges if you do not have the necessary Read privileges. You must have Read privileges for all levels of the resource tree to enable clients to view and use a resource. Developers, resource owners, and administrators should work together to make sure that appropriate groups and users can both view and access contained resources.
To set privileges on a resource
1. Make sure you have one of the following privilege conditions:
— You own the resource.
— You have the Grant privilege on the resource.
— You have the Modify All Resources right.
2. Right-click the resource name and select Privileges, or select the resource and choose Resource > Privileges. For example, when selecting privileges from a data source resource you would see the following screen.
The Resource and Your Privileges portions of the panel are for information purposes only.
3. Select the Show All radio button, to display or to set privileges explicitly for users who are not shown.
For boxes with an amber check mark, you might not be allowed to change the privilege setting. Privileges explicitly assigned are shown by a green check mark. An amber check shows privileges obtained implicitly (by group membership or through possession of a right like Modify All Resources).
4. Select the Read and Write boxes to set Studio design-time privileges. The Read privilege on a resource lets the user check whether the resource exists. The Write privilege lets the user modify the TDV resource definition, which determines what native resource can be used, and how it can be used.
Make sure that groups and users:
— Who are given new privileges on a resource also have the Read privilege on all parent containers in the path of that resource.
— Who have the Read privilege can view the object design, projections, schema, SQL, and annotations.
— Who have the Read and Select privileges can view dependencies, view the execution plan, and run the SQL contained in the view.
— Who have the Read, Write, and Select privileges can save, cache, and publish the view.
— Who need to modify an existing resource definition have the Write privilege on that resource.
— Have the Read privilege on views or views used to build another view.
5. Select the Execute, Select, Update, Insert, or Delete boxes, to set run-time privileges.
— The Select privilege lets the user submit SQL SELECT statements to retrieve data.
— The Execute privilege lets the user execute a procedure.
— The Insert, Update, and Delete privileges let the user change table data.
At run time, Read privileges are used for folders and their contents, but not for tables or procedures. However, a user with Select privileges on a table but no Read privileges can still select from that table.
6. Check the Grant box for resources where you want to share ownership privileges.
The Grant privilege gives other Studio users the same privileges as the original resource owner.
7. Use the following fields and buttons to filter the users and groups that appear on the Privileges panel.
Field or Button | Description |
Hide users without explicit privileges | Default. Does not show users who have not been granted privileges on the resource from the user interface window. |
Hide users and groups without explicit privileges | Does not show users or groups who have not been granted privileges on the resource from the user interface window. |
Show All | Show all users and groups, whether or not they have explicit privileges. |
Filter | Lets you type a filter string to apply to user and group names. A wildcard is added before and after your string; so for example “ea” finds users Jean and Bea, and group Minneapolis. |
8. Select the Apply recursively to dependencies check box to apply the setting selections to all resources that this resource depends on.
Resources that this resource depends on can reside anywhere.
9. Select the Apply recursively to dependents check box to apply the setting selections to all resources that depend on this resource.
Dependent resources can reside anywhere.
10. Select the Apply recursively to child resources and folders check box to apply the setting selections to all the child resources that are owned by this parent resource.
Child resources reside within the parent container.
Note: Many resources, such as procedures, queries and transformations, do not make Apply recursively to child resources and folders available for selection.
11. Select one of the radio buttons either to apply changes to privilege settings, or apply changes to privilege settings and clone user and group privileges to all child and/or dependent objects of the selected resource.
Radio Button | Description |
Only apply modification | Saves the specific changes made to the privilege settings of the selected resource, but preserves all other privilege settings of the child and/or dependent resources. |
Make child resources look like this resource | Saves changes made to the privilege settings of the selected resource, and propagates all of the object’s privilege settings to child and/or dependent resources. Changes applied using this radio button can both add and remove child and/or dependent resource privileges. |
12. Click OK.
For information on how to grant privileges to a source on which a resource depends, see
Privileges Required for Resource Dependencies.
Propagation of Privileges
The privileges Insert, Update, Delete only need to be set for the top-level view—the view that is published to a virtual database. These privileges do not need to be set separately for other views in the dependency lineage.
Users who have Select, Insert, Update, and Delete privileges on a view, but do not have Read access on that view, can see the view when signed in to Studio, but if they try to open the view, an error message is displayed. After clicking OK in the error message box, they can open and execute the view in Studio, but they cannot save any changes to the view.
Privileges for Non-Studio TDV Users
This topic describes privileges for users who do not use Studio to connect to TDV. One category of such users is those who connect to TDV through JDBC, ODBC, or ADO.NET. Insert, Update and Delete privileges are of course needed for such users to take those actions, but other conditions for these actions may not be as obvious:
• A published resource and its lineage of views and tables do not require the Read privilege.
• The published resource must have the Select privilege.
• Intermediate views and tables do not require Insert, Update and Delete privileges for the user to take such actions.
Copying Privileges
Users or administrators who have the Grant privilege on resources can copy privilege settings from a selected resource to one or more other resources.
To copy privileges
1. Right-click the resource whose privileges you want to replicate.
2. Select Copy Privilege.
3. Select one or more target objects to which to copy the privileges.
Select target resources carefully. All privilege settings of the initial resource overwrite all of the privilege setting of the selected target resources.
4. Select the Copy Privileges into Target Descendants, if you want to copy privileges to the descendants of the target objects.
5. Click OK.
Finding and Editing Resource Privilege Dependencies
The dependency privilege analysis checks users and groups against all resources defined by the TDV Server. Specifically, it checks whether those with Select or Execute privileges also have the appropriate privileges to access and use dependency resources when they are present. The Dependency column displays an aggregate status icon that tells whether any dependency privilege settings need review and correction.
Administrative users with the Modify All Resources right can click in any box and thereby assign a privilege to all selected users and groups. Clicking on any box again sets the privilege back to its former state. You can click the ADD PERMISSIONS button to assign an explicit privilege to correct all resource dependency privilege deficiencies.
If the administrator currently using Manager does not have the Modify All Resources right, privilege changes are possible only on those resources and containers for which the administrator is the owner or has the Grant privilege.
The Manager Resources pages provide tools that automatically analyze privilege sets on resources and their dependencies for groups and users. TDV administrators can add or remove privileges with a single button click. They can analyze or edit dependency privileges, and view, edit, or remove privileges by resource, user, or group.
The Manager Resources pages let you do the following:
• Find missing privileges by resource for any group or user.
• Check for privilege inconsistencies on dependent resources.
• Add or remove privileges on a resource or dependency.
• Find and assign privileges for new dependencies on a revised resource.
• Perform a resource-based privilege security audit.
The Manager Resources pages are best used with the following administrative rights:
• Access Tools—To launch and use the Manager.
• Read All Config—To see the Manager resource page.
• Read All Users—To see privileges beyond those for one’s own sign-in ID and groups.
• Modify All Resources—To add, remove, or automatically correct dependency privilege settings (except for resources for which a user is the owner or has the Grant privilege).
Note: Manager displayed in IE8 compatibility mode is slow. Also, IE8 warns that the JavaScript can cause the computer to become unresponsive. It is safe to ignore this warning. When using IE8, change the Refresh Rate.
To find resource dependencies
1. Launch Manager using:
— Launch Manager option in the Studio Administration menu
— http://<hostname>:9400/manager/login
2. Select Resource Management from the SECURITY tab menu, to open the RESOURCES page.
The RESOURCES page displays published, user-accessible folders and resources.
3. Select a radio button and click Analyze Dependency Privileges (radio button in the first column shows which is selected).
The Dependency column displays:
Icon | Indicates |
question mark | Dependency analysis has not been performed. |
clock | Analysis is in progress. |
check mark | All users and groups with invocation privileges for the resource also have invocation privileges for all of the resource dependencies (where present). |
red circle x | One or more users or groups with invocation privileges for this resource are lacking adequate invocation privileges on one or more dependencies. Any resource with an inconsistent privilege assignment has a user or group with a Select or Execute privilege allowing invocation of the parent resource, but without the required privileges to access/use dependencies required for execution. |
yellow triangle | One or more users or groups with partial privileges for this resource lack adequate privileges to invoke it or dependent resources. Where privilege settings do not match normal usage patterns, the dependency analysis marks them with a yellow warning triangle—for example, a user with the Read or Write privilege but not a privilege to Select or Execute on that resource or any of its dependencies. |
Analyze Dependency Privileges analyzes all resources on the page for privilege settings.
4. Click View Privileges to display a detailed resource privilege report that you can use to check resource privilege settings.
The View Privileges button displays a “RESOURCE PRIVILEGES for <resource>” page containing up to 100 users and groups with their privileges, and a dependency analysis status indicator for each user and group with a privilege on the selected resource. This display is suitable for a resource-based security audit that shows who does and who does not have access to a given resource.
5. Optionally, modify the Refresh Rate near the upper right of the Manager home page, to control how often information on the page is refreshed.
6. Select the check box for a row to edit, remove or modify the privileges. The following actions can be performed.
Action | Description |
Edit Privileges | Directly modify privileges on the selected resource for one or more users and groups. When you select more than one user or group, privilege settings show an aggregated value of the privilege settings. |
Edit Dependency Privileges | Analyze dependency resources (and their parent containers) and required privileges for access and invocation. Also opens the Edit Resource Dependencies window, which displays more detail about aggregated privilege settings. Select those users and groups that show dependency privilege errors or inconsistencies. |
Remove Privileges | Remove explicitly-assigned privileges from selected users or groups. This function cannot remove users from groups that give the user privileges implicitly, or remove administrative rights to remove privileges. Implicit privileges can be removed only by removing the user from the group that gives those privileges, by changing the group assigned privileges, or by removing user rights. |
Reset the Resources pages | Click the SECURITY tab > Resource Management selection. |
To correct a privilege setting
1. Select SECURITY > Resource Management.
2. Click Analyze Dependency Privileges.
3. Click View Privileges.
4. Click Edit Dependency Privileges.
5. Click any of the icons to change privileges for all the users and groups selected.
6. Click Add Permissions.
Add Permissions identifies all privilege deficiencies, and explicitly grants all missing privileges needed to access and invoke a resource and its dependencies.
7. Click OK or Cancel when done.