record level security: can't browse, grant and revoke won't work

Skip to first unread message

David de Sousa Seixas

Jul 13, 2015, 9:12:24 AM7/13/15
I'm using version 2.0.3

Can't browse a class with a specific user despite the fact that I granted authorization to their role.

I'm working with record level security, so both V and E inherit from ORestricted. I've created a class Concept which (not directly) inherits from V. The OUser "Angela_Merkel" has the role "student" which inherits from "writer" and has the additional permissions:

    "database.class.Concept": 5,
    "database.class.Unit": 5,
    "database.class.Person": 5,
    "database.class.belongsTo": 5,
    "database.class.grants": 5,
    "database.class.isRequiredFor": 5,
    "database.class.informationLink": 15,
    "database.class.user": 5

which means she can READ and UPDATE Concept. Then I create a Concept node. But when I query SELECT FROM CONCEPT, I get a OSecurityAccessException stating that user Angela_Merkel has no right to read unit. I've also tried to grant access by running the query GRANT READ ON database.class.concept TO student, but the database throws back that student is not a valid role. It is however listed in oroles:


#   |@RID|@CLASS|mode|name   |inherited|rules                                                                                                     


0   |#4:0|ORole |1   |admin  |null     |{database.bypassRestricted=15}                                                                            

1   |#4:1|ORole |0   |reader |null     |{database.cluster.internal=2, database.cluster.orole=2, database=2, database.function=2, database.schem...

2   |#4:2|ORole |0   |writer |null     |{database.cluster.internal=2, database.cluster.orole=2, database=2, database.schema=7, database.cluster...

3   |#4:4|ORole |0   |student|#4:2     |{database.class.Concept=5, database.class.Unit=5, database.class.Person=5, database.class.belongsTo=5, ...


and the same goes for reader, writer and so on. Revoke throws the same error. What's wrong?

Jul 13, 2015, 11:54:13 AM7/13/15
Hi David,

probably the problem is that the permision settings "database.class.Concept": 5 means Update&Create.
For a read&update combination you need to set "database.class.Concept": 6


David de Sousa Seixas

Jul 13, 2015, 12:18:43 PM7/13/15
Well that's embarrassing. Thanks!
Reply all
Reply to author
0 new messages