Scenario: ExampleBANK using row and column access control - Data queries
With row and column access control, people in different roles can have different result sets from the same database queries. For example, Newton, a teller, cannot see any data of clients outside of their branch.
Newton, Zurbie, and Plato each connect to the database and try
the following SQL query:
SELECT * FROM RCACTSPM.CUSTOMER;
Results of the query vary according to who runs the query. The row
and column access control rules created by the security administrator
are applied on these queries.Here is the result set Newton sees:
ACCOUNT NAME INCOME BRANCH
------------------- -------------------- ----------- ------
xxxx-xxxx-xxxx-4444 Alice 22000 A
xxxx-xxxx-xxxx-5555 Bob 71000 A
2 record(s) selected.
Newton, being a teller at branch
A, can see only ExampleBANK clients that belong to that branch.Here is the result set Zurbie sees:
ACCOUNT NAME INCOME BRANCH
------------------- -------------------- ----------- ------
xxxx-xxxx-xxxx-4444 Alice 22000 A
xxxx-xxxx-xxxx-5555 Bob 71000 A
xxxx-xxxx-xxxx-6666 Carl 123000 B
xxxx-xxxx-xxxx-7777 David 172000 C
4 record(s) selected.
Zurbie, being a customer service
representative, can see all ExampleBANK clients in the system, but
not their full account number unless he uses the ACCOUNTS.ACCTUPDATE
application. Since this query was issued outside of ACCOUNTS.ACCTUPDATE,
part of that number is masked.Here is the result set Plato sees:
ACCOUNT NAME INCOME BRANCH
------------------- -------------------- ----------- ------
xxxx-xxxx-xxxx-4444 Alice 22000 A
xxxx-xxxx-xxxx-5555 Bob 71000 A
xxxx-xxxx-xxxx-6666 Carl 123000 B
xxxx-xxxx-xxxx-7777 David 172000 C
4 record(s) selected.
Plato, being a telemarketer, can
see all ExampleBANK clients in the system.