l14: access rights and triggers
TRANSCRIPT
1
i-viewsUniversityPart14:AccessRightsandTriggers
22
AccessRightsandTriggers
PatrickCloshen
SoftwareEngineer
intelligentviews gmbh
Today‘s Speaker
33
AccessRightsandTriggers
AccessRights
• Basics
• ExecutionTree
• Filters/OperationParameters
• TestEnvironment
Triggers
• Basics
• Composition
• Editing
• TestEnvironment
44
AccessRightsandTriggers
AccessRights - Basics
Why AccessRights?• To ensure atopical workspace (see only the part of the network the user needs)
• Only defined user groups get to see and work with sensitivedata;meet possible privacy andconfidentiality restrains
TheAccessRightsSystemis connected to the Semantic Network• Usershave to be objects inthe network to be granted access rights
• Any type,object or propertycan be affectedby the access rightssystem
55
AccessRightsandTriggers
AccessRights - Basics
Therights system is role based.
66
AccessRightsandTriggers
Beforetheaccessrightssystemcanbeused,ithastobeactivated.
ThiscanbeachievedintheKnowledge-Builder:• Settingsà Tab„System“à „Rights“àActivateaccess rights
• Selectthetypeoftheobjectswhichshallbegrantedordeprivedofrights,e.g.Employee
• Byactivatingtheaccessrightssystem,anattributetypecalled„password“willbecreatedautomatically(forthewebfrontend)
AccessRights - Basics
77
AccessRightsandTriggers
Acomplete rightdefinitionconsistsoffourcomponents:
• User: Apersonor persongroupdefined inthe network;Thegroupingofpersons(e.g.fromacommondepartment)canbe realizedbyacommonobjecttypeorextensionor bycreatingrelationsbetweenthem
• Operation: Definesaspecifictypeofactivityoftheuserwhichistoberegulated,e.g.read,create,read onlyattributes
• Target: Oneormoresemanticelementsofthenetworkonwhichtheoperationwouldoccur;targets can be selectedeitherbypropertyfiltersorthroughstructured queries
• Decider: Defineswhethertheoperationonthetargetispermittedorprohibitedfortheuser
Paul Delete Description
AccessRights - Basics
88
AccessRightsandTriggers
Itis possible to omitoneormorecomponentswithinarightdefinition• Result:Theright encompasses allpossiblevaluesoftheomittedcomponent
• Example:Ifyou specifynotargetforaright,the right applies toall(semantic)elementstheuser canaccessthroughthe selectedoperation
AccessRights - Basics
99
AccessRightsandTriggers
• Theaccessrightssystemisstructuredlikeatree
• Thetreesbranchesaremadeupbythefilters
• Thebranchendswithadecision(toallowordenyaccess)
• Onceanactivitycommencesinthesemanticnetwork,theaccessrightstreeisbeing„traversed“beginningfromthetopuntilanaccesssituationmatches
• Onceadecisionhasbeenfound,theevaluationofthetreestopsuntilanewactivitytakesplace
• Ifnodecisionhasbeenfound,theactivityisprohibitedbydefault
AccessRights - ExecutionTree
1010
AccessRightsandTriggers
AccessRights - ExecutionTree
Thetree can be built up inapositiveor inanegativeway:• Positive:Everything is permitted unless it is specifically prohibited
• Negative:Everything is prohibited unless it is specifically permitted
• Both approaches can be mixed to formulate arule and exception structure:For example,project leaders areallowed to change any customer data except for the segment internalsecurity
• Since the evaluation of the tree stops once adecision has been reached,anexception need to be placed above therule
1111
AccessRightsandTriggers
• Defineswhichoperationsaretoberegulatedbytheright
• Operationsarestructuredinahierarchy;anoperationonahigherlevelencompassesallitssubsidiaryoperations
• Subsequentfiltersordecidersareonlyevalutediftheactivitymatchesthisfiltercriterium
AccessRights - FiltersOperationfilter
1212
AccessRightsandTriggers
AccessRights - FiltersPropertyfilter
• Definestheproperties(generictermforrelationsandattributes)forwhicharightisdefined
• Subsequentfiltersordecidersareonlyevalutediftheactivitymatchesthisfiltercriterium
• Restrictiononattributes:Onlytheselectedpropertiesmatchthefiltercriterium
• Exceptthefollowingproperties:Allbuttheselectedpropertiesmatchthefiltercriterium
1313
AccessRightsandTriggers
AccessRights - FiltersQueryfilter
• Definesthesemanticelementsforwhicharightisdefined
• Subsequentfiltersordecidersareonlyevalutediftheactivitymatchesthisfiltercriterium
• Canbeusedtofilteranyandallsemanticelementswithinthesemanticnetwork
• Isusedtodefinetowhichusersarightshallapply
1414
AccessRightsandTriggers
AccessRights - FiltersQueryfilter
• Theoperationparametersallowtodefinethesemanticelementswhicharepassedtothestructuredquery
• IfAccessedelementischosen,thesemanticelementonwhichtheactivitytobeevaluatedoccuredispassed
• If(Super)type ischosen,thetypeofthesemanticelementonwhichtheactivitytobeevaluatedoccuredispassed(iftheaccessedsemanticelementisatype,itssupertypeispassedinstead)
• Thesemanticelementsselectedbytheoperationparametersarecomparedwiththeresultsofthestructuredquery
1515
AccessRightsandTriggers
AccessRights - FiltersQueryfilter
• Allparametersmustmatch:Allsemanticelementsdefinedbytheoperationparametersmustmatchtheresultsofthestructuredquery
• Anyparametermustmatch:Atleastonesemanticelementdefinedbytheoperationparametersmustmatchtheresultsofthestructuredquery
• Querymustbesatisfied:Thesemanticelementsfoundbythestructuredquerymustmatchthesemanticelementsprovidedbytheoperationparameters
• Querymaynotbesatisfied:Allbutthesemanticelementsfoundbythestructuredquerymustmatchthesemanticelementsprovidedbytheoperationparameters
1616
AccessRightsandTriggers
AccessRights - FiltersQueryfilter
• ChoosingadifferentoperationparameterthanAccessedelementmaybehelpfultodecreasethecomplexityofthequery
• Itbecomesnecessaryiftheaccessedsemanticelementdoesnotexistyet
• Forexample,ifnobodyshallcreateanewemployee,thiscanbeachievedbystatingthatsemanticelementswhose(super)typematchestheresultofaquerywhichsearchesforobjecttypesnamed"Employee"mustnotbecreated
1717
AccessRightsandTriggers
TestEnvironment
You can test access rights inthe test environment;testcasesarestoreduntildeleted
1818
AccessRightsandTriggers
TestEnvironment
Enterauser you want to testthe access rights for.Define theelement onwhich aoperation
is to be tested.Selectaproperty andan
operation.Incaseofarelation,selecttherelationtarget.
1919
AccessRightsandTriggers
Triggers• Basics
• Composition
• Editing
• Testing
2020
AccessRightsandTriggers
Triggers- Basics
• React to changes inthe semantic graph database• Reactionsmayincludesendingemailsorsettinginfoflagsatobjectsconnectedtotheafflictedtopics
• Controldependent data and adjust as desired
• Createaworkflow to react to certain events taking place
• Automate common tasks
• Logchanges
2121
AccessRightsandTriggers
Triggers- Basics
Activatingtriggers
Triggersneedtobeactivatedbeforetheycanbeused.
ThiscanbeachievedintheKnowledge-Builder:• Settingsà Tab„System“à „Trigger“àTriggersactivated
2222
AccessRightsandTriggers
Triggers- Composition
Similar to the rights system
Everyoperation is connected to the trigger system and can be determined
Compose access filters and set when and how to react to hits that maptothose filters• When means either before the change,directly afterthe change,or atthe endof the transactionwhen allchangeshave taken place
2323
AccessRightsandTriggers
Triggers– Composition
1. Settingthe operation• Operations list analogous to the rights system
2424
AccessRightsandTriggers
Triggers- Composition
2.Filtering the object to be controlled• Easiest and quickestwayis to filter viaproperty filter
2525
AccessRightsandTriggers
Triggers- Composition
You can alsocreate afiltering search (although decreasing performance)
Createafiltering search that detects the intented topic,set filtering conditionand specify what is goingto be filtered (viaoperationparameter(s))
2626
AccessRightsandTriggers
Triggers- Composition
Selectand configure the action that is going to take place once anaccess matches
2727
AccessRightsandTriggers
Triggers- Editing
Thescript trigger panel indetail:
Execution time:Before/aftermodification,endof transactionjobclient
Executeonce:setswhether several changes willbe computedby this trigger inone go
Refactoring data setting:setswhether trigger is activeduring refactoring operations,e.g.changing typeor relationtargets
2828
AccessRightsandTriggers
Triggers- Editing
OperationParameter• Choose what willbe passed to the trigger script (as „parameter“),typicallyapropertyfor detailed work or theparentelementformore direct access
2929
AccessRightsandTriggers
Triggers- Editing
Thescript panel:• No transaction setting isneeded,the context always provides awriting transaction
• Registrytab is forregistering script
3030
AccessRightsandTriggers
Triggers- TestEnvironment
Asit is with the rights system,the trigger system provides atestbench:• Select„Trigger“inthe Technicalsection and press„OpenTestbench“inthe lower right corner
Choose the operationSelectthe property from theleft panel,incursive if notyet
created
3131
AccessRightsandTriggers
Homework
1. Activatetheaccessrightsandtriggersystems
2. Usersofarolecalled„Editor“shallbeallowedtoalternamesande-mailaddressesonpersons,butshallnotbeallowedtoalterapersonnelnumber
3. Createatrigger that reacts to changing the run-timeof asong to compute the totalrun-timeof thecontaining album (may need adaptation to model to accommodate the new property atalbum)
3232
AccessRightsandTriggers
Sendyour questions to:[email protected]
Consultationhours:EveryWednesday
Thank you for visitingi-viewsUniversity
3333
AccessRightsandTriggers
UnsereneuenIcons