FrontBase logo

FrontBase Documentation

 FrontBase logo

Backtrack:
  Welcome!
    4. Administering a FrontBase Server
 Updated: 20-Nov-2000
prevnext
Table of Contents

4.8. Row Level Privileges

FrontBase offers a unique feature called Row Level Privileges, which allows you to specify access privileges for individual rows. Each row is said to be owned by a specific user and belonging to a specific group. Access privileges (SELECT, UPDATE, and DELETE) for a row can be specified for the owner, the group, and the world.

Invoking Row Level Privileges

To use the Row Level Privileges feature, a given database has to be initialized with the feature given as an option. Start a FrontBase from the command line as follows:

FrontBase/bin/FrontBase -rlpriv <database name>

You can also specify the -rlpriv option when creating a database with the FBManager and FBWebManager tools.

Once invoked, the option is recorded in the database. You don't need to specify the option when the database server is subsequently stopped and started.

Managing the meta data

You can create and drop groups when CURRENT_USER is _SYSTEM using these SQL statements:

CREATE GROUP <group-name>;
DROP GROUP <group-name> RESTRICT|CASCADE;

You can add and drop users to a group when CURRENT_USER is _SYSTEM using these SQL statements:

ALTER GROUP <group-name> ADD USER <user-name>;
ALTER GROUP <group-name> DROP USER <user-name>;

You can change the default group of a user when CURRENT_USER is either _SYSTEM or <user-name> using this SQL statement:

ALTER USER <user-name> SET DEFAULT GROUP <group-name>;

You can change the default row privileges for a table when CURRENT_USER is either _SYSTEMor <user-name> using this SQL statement:

ALTER TABLE <table-name> SET DEFAULT PRIVILEGES(<row-privileges>)
    [USER <user-name>];

If <user-name> is not given, the current user is assumed. The <row privileges> argument has the following BNF form: 

<row privileges> ::= <row privs> | <row privileges> , <row privs>
<row privs>      ::= <owner privs> | <group privs> | <world privs>
<user privs>     ::= USER = * | <priv mask>
<group privs>    ::= GROUP = * | <priv mask>
<world privs>    ::= * = * | <priv mask>
<priv mask>      ::= <priv> | <priv mask> + <priv>
<priv>           ::= SELECT | UPDATE | DELETE

Example:

ALTER TABLE T0
    SET DEFAULT PRIVILEGES(USER=*, GROUP=SELECT+UPDATE, *=SELECT);

Managing the content data

You can change the privileges, owning group, or owning user of rows of a table using the UPDATE SQL statement. CURRENT_USER must either be _SYSTEM or own the affected rows.

UPDATE <table-name> SET PRIVILEGES (<row-privileges>)
    [WHERE <cond-expr>];
UPDATE <table-name> SET GROUP <group-name>
    [WHERE <cond-expr>];
UPDATE <table-name> SET USER <user-name>
    [WHERE <cond-expr>];

SELECTing the access privileges for a row

The owner, group, and privileges for a given set of rows can be fetched with this SQL statement:

SELECT USER, GROUP, PRIVILEGES FROM <table>
    WHERE <cond-expr>;

By wrapping the SELECT in a VIEW, the values can be used in queries:

CREATE VIEW(ROW_OWNER, ROW_GROUP, ROW_PRIVS) T0_PRIVS
    SELECT USER, GROUP, PRIVILEGES FROM T0;
SELECT * FROM T0_PRIVS WHERE ROW_OWNER = '<user-name>';

If you have feedback or questions on this document, please send e-mail to doc-feedback@frontbase.com. Please reference the section number and topic. Thanks!!

©2000 FrontBase, Inc. All rights reserved.