Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Rule Request] Check if any RLS Filter Expression is blank for tables that start with "fact_" #58

Open
ViktoriaVrg opened this issue Mar 25, 2024 · 1 comment
Open

[Rule Request] Check if any RLS Filter Expression is blank for tables that start with "fact_" #58

ViktoriaVrg opened this issue Mar 25, 2024 · 1 comment

Comments

@ViktoriaVrg
Copy link

ViktoriaVrg commented Mar 25, 2024
edited by otykier
Loading

Dear all,

for our security concept, we aim at creating an additional rule, which checks all model roles if the RowLevelSecurity FilterExpression is blank. If it is blank, we aim at fixing it by inserting the FilterExpression FALSE().

Could you provide me with some guidance on how to write the code?
I would've thought that something like this would work as a first step, however I'm getting the error: no property field 'role' exists in the txpe 'ModelRole'.

Model.Roles.Any(role => role.TablePermissions != null && role.TablePermissions.Any(tablePermission => tablePermission.TableName.StartsWith('fact_') && string.IsNullOrWhiteSpace(tablePermission.FilterExpression)))

Any hints/suggestions/doucmentation are very much appreciated :)!

Thanks!
@otykier
Copy link
Collaborator

otykier commented Apr 2, 2024

Some clarification:

The RowLevelSecurity property of a role is actually an indexed property, meaning it has a (string) entry for each table in the model. Tabular Editor will automatically create or delete the TablePermission object when an RLS expression is added to or removed from an entry in the RowLevelSecurity property.

In your code example, however, you ignore role/table combinations where the TablePermission object is null. With the above in mind, this is essentially ignoring all those TablePermissions with a blank RLS filter expression (unless some TablePermissions also have OLS enabled).

So the question is whether you want to check if any table across all roles, have a blank RLS filter expression? Otherwise, I'm not sure why you're explicitly only checking those tables for which a TablePermission exists.

In case you did indeed want to check all tables, you can create the BPA rule in the following way:

  • Rule Scope: Model Roles
  • Rule Expression: RowLevelSecurity.Any(string.IsNullOrEmpty(it))
image

If, however, you only want to check existing TablePermission objects for blank filter expressions, you can use the following BPA rule expression instead (same scope as above):

Model.Tables.Any(
    current.TablePermissions.FindByName(it.Name) <> null and
    string.IsNullOrEmpty(current.TablePermissions[it].FilterExpression)
)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@otykier @ViktoriaVrg