|
|
|
|
|
M1: Rights Provided Via Encrypted Database Role
This method takes the full set of database rights necessary for working with Valuemation away from the user whose logon data is explicitly specified in the authentication configuration file. The user can only connect to the database and read authorization data enabling him to activate a pre-defined database role which then provides him with a full set of database rights. This information is stored in the database in an encrypted form and can only be decrypted and read by Valuemation.
In order to implement this method, the following needs to be done:
A user who is the owner of Valuemation database objects needs to:
- Create a database role with a full set of rights necessary to work with Valuemation ('Full Access Role')
- Create a database user which will be used to generate the authorization data necessary for activating the 'Full Access Role' ('Gen User')
- Create a database user with limited set of rights and the 'Full Access Role' as a non-default role ('Init User')
The 'Gen User' is then used to:
Note: The apostrophed terms introduced in the list above are just vicarious terms used for explanation's sake.
|
If the above listed preparation steps have been done correctly, the following happens during runtime:
Valuemation starts and connects to the database, it first examines the table which is supposed to contain the encrypted logon data (AMT_Info): If the table exists, if it contains any data, if the data can be decrypted...
- If any of the above fails (no table, no data, decryption fails), then Valuemation ignores the database role assignment process and assumes that the currently logged on user has sufficient database rights.
(In most cases this scenario will mean that method 1 has not been used.)
- If the AMT_Info table decryption is successful, then Valuemation uses the decrypted data to call the 'Set Role' SQL command in order to activate the 'Full Access Role' for the 'Init User'.