The tool supports interface of Foresight Analytics Platform 9 or earlier.
Discretionary access control method grants subject access permissions for objects and ensures access control:
On DBMS level to objects, which have corresponding objects in DBMS: tables, views, queries, stored procedures.
On Foresight Analytics Platform level to all other repository objects.
Access permissions are granted using access control lists assigned to each system object. Subject access permissions for objects are controlled on DBMS level and on the platform level.
NOTE. The discretionary access control is available for the simultaneous use with mandatory access-control method, access separation method by levels, attribute-based method. When discretionary access control method and attribute-based access control method are used simultaneously, one can combine permissions in the access control.
To provide security, the access control is used for every object and subject either an explicit or mediated access. The mediated access is the access to the child objects with explicit operations with a parent object, for example, access to the cube on opening a report.
Access permissions are determined for each object. Access permissions determine the set of operations, which a security subject is allowed to execute with an object. Access permissions include view, modify, delete object permissions, and so on. Each object class has its own set of access permissions.
The list of access control determines:
Subjects who can access a specific object.
Operations, which the specific subject is allowed or prohibited to execute for a specific object.
Access permissions are accumulated from the sets of access permissions of separate subjects. Operation prohibition has a higher priority than the permission, regardless of whether the operation is prohibited for a single subject or a group of subjects. This means that when the access control list contains two subjects (a group of users and a user included in this group), and a permission to access some object is granted to the user group, while in the other subject this permission is denied to a specific user in this group, after the permissions are accumulated, this user does not have access to this object.
The Discretionary access control method is set up by:
The owner of the ADMIN schema.
Members of the Administrators group.
Users with the following privileges: Login; Changing User Permissions, Distributing Roles, Changing Policy; Changing Security Label and Access Control List of Any Object. Browsing all objects in the navigator; Read and Write Permission for All Objects.
Information security administrator on administrator roles separation.
To use the discretionary access control method:
Select the Use Discretionary Access Control checkbox on the Access Control tab of the policies editor.
Create user accounts and groups of users.
Set object access permissions.
Before enabling the user a certain action, the system checks the access control list to see if this user and the groups that include this user as their member have the corresponding permission. If the user or the group has this permission, the system enables the user to execute the operations, otherwise the operations are denied. A prohibition always has priority over a permission.
See also: