record level security: can't browse, grant and revoke won't work

45 views
Skip to first unread message

David de Sousa Seixas

unread,
Jul 13, 2015, 9:12:24 AM7/13/15
to orient-...@googlegroups.com
I'm using version 2.0.3

Can't browse a class with a specific user despite the fact that I granted authorization to their role.

I'm working with record level security, so both V and E inherit from ORestricted. I've created a class Concept which (not directly) inherits from V. The OUser "Angela_Merkel" has the role "student" which inherits from "writer" and has the additional permissions:

{
    "database.class.Concept": 5,
    "database.class.Unit": 5,
    "database.class.Person": 5,
    "database.class.belongsTo": 5,
    "database.class.grants": 5,
    "database.class.isRequiredFor": 5,
    "database.class.informationLink": 15,
    "database.class.user": 5
}

which means she can READ and UPDATE Concept. Then I create a Concept node. But when I query SELECT FROM CONCEPT, I get a OSecurityAccessException stating that user Angela_Merkel has no right to read unit. I've also tried to grant access by running the query GRANT READ ON database.class.concept TO student, but the database throws back that student is not a valid role. It is however listed in oroles:

----+----+------+----+-------+---------+----------------------------------------------------------------------------------------------------------

#   |@RID|@CLASS|mode|name   |inherited|rules                                                                                                     

----+----+------+----+-------+---------+----------------------------------------------------------------------------------------------------------

0   |#4:0|ORole |1   |admin  |null     |{database.bypassRestricted=15}                                                                            

1   |#4:1|ORole |0   |reader |null     |{database.cluster.internal=2, database.cluster.orole=2, database=2, database.function=2, database.schem...

2   |#4:2|ORole |0   |writer |null     |{database.cluster.internal=2, database.cluster.orole=2, database=2, database.schema=7, database.cluster...

3   |#4:4|ORole |0   |student|#4:2     |{database.class.Concept=5, database.class.Unit=5, database.class.Person=5, database.class.belongsTo=5, ...

----+----+------+----+-------+---------+----------------------------------------------------------------------------------------------------------


and the same goes for reader, writer and so on. Revoke throws the same error. What's wrong?

user.w...@gmail.com

unread,
Jul 13, 2015, 11:54:13 AM7/13/15
to orient-...@googlegroups.com
Hi David,

probably the problem is that the permision settings "database.class.Concept": 5 means Update&Create.
For a read&update combination you need to set "database.class.Concept": 6

bye,
Ivan

David de Sousa Seixas

unread,
Jul 13, 2015, 12:18:43 PM7/13/15
to orient-...@googlegroups.com
Well that's embarrassing. Thanks!
Reply all
Reply to author
Forward
0 new messages