Scenario 2: Group Restrictions
Description: Another security architect Carly from Company XYZ now wants to enforce a policy that only folks in the engineering group should be able to see feature design specifications, and that only folks in the finance group should be able to read and update documents with pricing information. This scenario will show the interaction between QBAC and Compartment Security. For more information about Compartment Security, see Compartment Security.
Carly didn't need to use compartment security here because there is only one dimension of access, but she thinks she may have others and wants them to be intersectional. Since the update policy is of the form if (query) then Deny
, we need to also put the negated queries on the roles that we want to exclude, so the implementation is a little more complicated.
Mike is a contractor who works for Company XYZ. He is only able to read the documents marked with "group-all" in the metadata. He cannot see any other documents in the database. Carly sets up a user for him and grants permissions through user queries, which are restrictive.
To run through the example, follow the steps in each subsection.