Skip to main content

Column-Level Permission

In Veezoo, you have fine-grained control over your data through the ability to define roles and assign them to users. This allows you to dictate which users have access to which data based on their roles. You can extend this control even further by applying column-level permissions within classes using the for_user_role and not_for_user_role properties.

Granting Column-Level Permissions with for_user_role

When defining concepts such as class, number, boolean, date, etc., you can assign specific roles that are allowed to access this data by using the for_user_role property. This property can take multiple values corresponding to the names of roles that have been defined.

Here's an example:

kb {

class Order {

...

number Order_Total {
name.en: "Order Total"
synonym.en: ["Price", "Revenue", "Amount"]

for_user_role: ["finance", "executive"]

unit: onto.Currency.USD

sql: "${ORDERS.order_total}"
}
}
}

In the above example, only users who have been assigned the roles "finance" or "executive" are granted permission to view the Order_Total class.

Restricting Column-Level Permissions with not_for_user_role

On the other hand, you may want to exclude certain roles from accessing a concept. You can use the not_for_user_role property to specify roles that are not allowed to access this data.

Here's an example:

kb {

class Customer {

...

class Customer_Address {
name.en: "Customer Address"
synonym.en: ["Address"]

not_for_user_role: "customer_support"

sql: "${CUSTOMERS.address}"
}
}
}

In this example, users who are assigned the role "customer_support" are restricted from viewing the Customer_Address class. If multiple roles are specified, then a user with either of the roles listed is limited from viewing this data.

caution

Make sure to carefully manage your role assignments and column-level permissions to ensure data security. Regularly review and update your roles and permissions to align with changes in job responsibilities and organizational structure.