Data Access Control (DACs)

Database Management Reference Manual

Introduction to Database Concepts : Data Access Control (DACs)

Data Access Control (DACs)

Data Access Control (DAC) is the mechanism that protects information handled by the system from accidental or unauthorised manipulation.

The basic access control available is known as 'Team Owning Databases'. It implements access control on database level by simply giving the members of the team owning the database full access and others read-only to data held in particular databases.

A more sophisticated access control is implemented in the form of Access Control Rights (ACRs). ACR allows the administrator of the system to apply a more fine grained access control over the model. The following figure illustrates the DAC database hierarchy.

An ACR is defined through two entities:

•

A ROLE, which is a collection of rules called Permissible Operations (PEROPs).

•

A SCOPE, which defines to what part of the model the ROLE applies. The SCOPE may be an expression, e.g. all ZONE WHERE (FUNC eq 'TEAMA')

A PEROP defines the access rights given for a number of pre-defined operations for one or more elements.

One or more ACRs may be assigned to a user granting and denying access to the model.

For a user to gain update access to a particular element two rules apply:

•

At least one PEROP in a ROLE assigned to a USER must grant the update operation.

•

No one PEROP must explicitly deny the operation.

Management tools are available for DAC through the ADMIN module. Control of DAC is also available through PML.

A PEROP consists of three parts:

•

The Element it applies to

•

The operations which can be performed on those elements

•

Optionally the Attributes that may be modified.

The PEROP may further restrict the elements it applies to by a qualifying condition. The qualifying conditions is an AVEVA E3D™ statement that should evaluate to true to qualify the PEROP.

The following operations are available through PEROPs

Create
Modify
Delete
Claim
Issue
Drop
Output
Export
Copy

Each of these operations may be set to


Allow	The operation is permitted
Disallow	The operation is not permitted
Ignore	The PEROP does not define whether this operation is permitted or not

Optionally the PEROP may further restrict which attributes it allows modification to by specifying a list of attributes that it either includes or excludes from allowing modification to.

The PEROP also holds the message that the system will issue if the PEROP denies attempted operation.

1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.