Data separation (Beta)

You can use data separation to separate data by data spaces, and restrict members of a data space to view only the data that belongs to the data space.

Overview

Data separation enables you to separate the business data for different user groups. For example, in an organization that has a large number of resources from multiple departments, each resource manager can manage any resource from any department. You may want to restrict resource managers from a specific department to manage only resources within their own department, but not resources from other departments.

Data options

You can separate the following data by data spaces:

  • Organization units
  • Users
  • Resources
  • resources pools
  • Teams
  • Requests

Data separation steps

To use data separation, follow these high-level steps:

Step Details
Preparation

To use data separation, prepare the following:

  1. Define data spaces
  2. Associate PPM users with data spaces
  3. Separate data by data spaces
Customize validations if needed Customize the associated validations, if needed. For details, see Customize associated validations.
Enable feature toggles Enable the related feature toggles. For details, see Enable feature toggles.

Note: Data separation works in conjunction with the existing authorization methods. To view and access specific data, you should have the required access grants.

Back to top

Preparation

This section describes the preparation work you need to do before using data separation.

Define data spaces

Define data spaces by customizing the database view ppm_data_space_v.

You can define data spaces based on primary organization units, security groups, or your custom criteria. In the following sections of this topic, an example is provided to demonstrate the process of defining data spaces based on primary organization units. For details, see the Create data space meta data part in the Data separation example.

The following columns are required for the view:

Column Description
data_space_name The name of the data space.
data_space_id The ID of the data space. It can be number or any text.

Associate PPM users with data spaces

Associate PPM users with the data space by customizing the database view ppm_data_space_member_v.

The following columns are required for this database view:

Column Description
user_id The ID of the PPM user.
data_space_id The ID of the data space with which the PPM user is associated.

The Create data space member view part in the Data separation example shows the process of associating PPM users with data spaces based on primary org units.

Separate data by data spaces

By default, full data access is granted for all members in the system. To restrict members of a data space to view only the data that belong to the data space, you need to separate the data by data spaces.

Data to separate Details
Separate users

Customize the ppm_data_space_user_v database view.

The following columns are required for the view:

  • user_id. The ID of the PPM user.
  • data_space_id. The ID of the data space that has access to the PPM user.

For example, see the Create user data view part in the Data separation example.

Separate resources

Customize the ppm_data_space_resource_v database view.

The following columns are required for the view:

  • resource_id. The ID of the resource.
  • data_space_id. The ID of the data space that has access to the resource.

For example, see the Create resource data view part in the Data separation example.

Separate resource pools

Customize the ppm_data_space_resource_pool_v database view.

The following columns are required for the view:

  • resource_pool_id. The ID of resource pool.
  • data_space_id. The ID of the data space that has access to the resource pool.

For example, see the Create resource pool data view part in the Data separation example.

Separate teams

Customize the ppm_data_space_team_v database view.

The following columns are required for the view:

  • team_id. The ID of the team.
  • data_space_id. The ID of the data space that has access to the team.

For example, see the Create team data view part in the Data separation example.

Separate org units

Customize the ppm_data_space_org_unit_v database view.

The following columns are required for the view:

  • org_unit_id. The ID of the org unit.
  • data_space_id. The ID of the data space that has access to the org units.

For example, see the Create org unit data view part in the Data separation example.

Separate requests

Customize the ppm_data_space_request_v database view.

The following columns are required for the view:

  • request_id. The ID of the request.
  • data_space_id. The ID of the data space that has access to the requests.

For example, see the Create request data view part in the Data separation example.

Back to top

Customize associated validations

After defining data spaces and separating data by data spaces, the next step is to customize the validations applied to the associated fields, if needed. This ensures that users can only access their authorized data when interacting with specific fields.

For example, after org units are separated by data spaces, you need to make sure that when selecting a parent org unit for a sub-org unit, only the org units explicitly permitted for the corresponding data space are available for selection. To do so, customize the validation used for selecting org units, as illustrated in the example below. For detailed steps on how to customize validations used by a field, see Use custom validations for OOTB fields.

Copy code
select org_unit_id  || '@' || krsc_utils.Get_Org_Unit_Region_Name(org_unit_id) || '@' || primary_flag as org_unit_id, org_unit_name  ,SUBSTR (SYS_CONNECT_BY_PATH (org_unit_name, '=>'), 3) hierarchy
        FROM KRSC_ORG_UNITS
        where UPPER(org_unit_name) like UPPER('?%')
        and (org_unit_name like upper(substr('?',1,1)) || '%'
        or  org_unit_name like lower(substr('?',1,1)) || '%')
        and enabled_flag = 'Y'
        and (
        exists (
        select 1 from KNTA_USER_SECURITY us, KNTA_ACCESS_SECURITY acs, knta_security_groups sg 
        where us.security_group_id = acs.security_group_id and acs.security_group_id = sg.security_group_id
        and sg.enabled_flag = 'Y' 
        and acs.access_grant_id = 1375 and us.user_id = [SYS.USER_ID]) 
        or
        org_unit_id in (select ou.org_unit_id from ppm_data_space_org_unit_v ou, ppm_data_space_member_v dsm where ou.data_space_id = dsm.data_space_id and dsm.user_id = [SYS.USER_ID] )
        or
        org_unit_id in (select ou.org_unit_id from krsc_org_units ou where ou.manager_id = [SYS.USER_ID] and exists(
            select 1 from KNTA_USER_SECURITY us, KNTA_ACCESS_SECURITY acs, knta_security_groups sg 
            where us.security_group_id = acs.security_group_id and acs.security_group_id = sg.security_group_id
            and sg.enabled_flag = 'Y' 
            and acs.access_grant_id = 132 and us.user_id = [SYS.USER_ID])  
            )
        )
        and (('[PRIMARY_FLAGHV]' = 'Y' and primary_flag = 'Y') OR
        '[PRIMARY_FLAGHV]' = 'N') CONNECT BY PRIOR org_unit_id = parent_org_unit_id start with parent_org_unit_id=-1
        order by org_unit_name

Back to top

Ignore control of data separation

For superusers who can ignore the control of data separation, assign the Ignore Data Separation Controlled Access access grant.

Caution: Assign this access grant with caution, to ensure the appropriate protection and control of sensitive information in the system.

Back to top

Enable feature toggles

After you set up the data spaces, separate data, and customize the associated validations, the last step is to enable the related feature toggles. For details on feature toggles, see Use feature toggles to turn on/off features.

Feature toggle Details
Data Separation

Enables the data separation feature.

Data Separation of Users

Enable Data Separation before enabling this feature.

Restricts members of a data space to view only the PPM users that belong to the data space.

You must also customize the ppm_data_space_user_v database view. For details, see Separate users.

Resource Data Separation

Enable Data Separation before enabling this feature.

Restricts members of a data space to view only the resources that belong to the data space.

You must also customize the ppm_data_space_resource_v database view. For details, see Separate resources.

Resource Pool Data Separation

Enable Data Separation before enabling this feature.

Restricts members of a data space to view only the resource pools that belong to the data space.

You must also customize the ppm_data_space_resource_pool_v database view. For details, see Separate resource pools.

Team Data Separation

Enable Data Separation before enabling this feature.

Restricts members of a data space to view only the teams that belong to the data space.

You must also customize the ppm_data_space_team_v database view. For details, see Separate teams.

Organization Unit Data Separation

Enable Data Separation before enabling this feature.

Restricts members of a data space to view only the org units that belong to the data space.

You must also customize the ppm_data_space_org_unit_v database view. For details, see Separate org units.

Request Data Separation

Enable Data Separation before enabling this feature.

Restricts members of a data space to view only the requests that belong to the data space.

You must also customize the ppm_data_space_request_v database view. For details, see Separate requests .

Back to top

Data separation example

The following example demonstrates how to define data spaces and separate data based on top-level org units in an Oracle database instance. Users belonging to any sub-org unit are able to access organization units, users, resources, resource pools,teams, and requests that were explicitly allowed for the top-level org unit.

Before customizing database views, perform the following tasks:

  1. Establish a hierarchical organization model that is comprised of top-level org units with sub-org units. The top-level org units must be primary org units and enabled. The sub-org units can be of the matrix org unit type. For details, see Create and manage organization units.

  2. Distribute users among the sub-org units.
  3. To ensure the separation of resource pools and teams by data spaces, set the ENFORCE_ORG_UNIT_FOR_RESOURCE_POOL_AND_TEAM parameter to true. By doing so, a primary org unit is required to be associated when creating a resource pool or team. For details, see Create a resource pool and Create a team.
Copy code
-- create data space meta data
create or replace FORCE view ppm_data_space_v as
select 
    org_unit_name as data_space_name,    
    to_char(org_unit_id) as data_space_id
from krsc_org_units ou
where ou.enabled_flag = 'Y' 
and ou.parent_org_unit_id = -1;


-- create data space member view
create or replace FORCE view ppm_data_space_member_v as
select 
    u.user_id,
    to_char(ou.org_unit_id) as data_space_id
from krsc_org_units ou, krsc_org_unit_members oum, knta_users u
where u.user_id = oum.user_id
and ou.enabled_flag = 'Y'
and ou.primary_flag = 'Y' 
and ou.org_unit_id = (
  select temp.org_unit_id
  from krsc_org_units temp
  where temp.parent_org_unit_id = -1
  connect by temp.org_unit_id = prior temp.parent_org_unit_id
  start with temp.org_unit_id = oum.org_unit_id
);

-- create resource data view
create or replace FORCE view ppm_data_space_resource_v  as
select 
    rsc.resource_id,
    to_char(ou.org_unit_id) as data_space_id
from krsc_org_units ou, krsc_org_unit_members oum, rsc_resources rsc
where rsc.user_id = oum.user_id
and ou.enabled_flag = 'Y'
and ou.primary_flag = 'Y' 
and ou.org_unit_id = (
  select temp.org_unit_id
  from krsc_org_units temp
  where temp.parent_org_unit_id = -1
  connect by temp.org_unit_id = prior temp.parent_org_unit_id
  start with temp.org_unit_id = oum.org_unit_id
);


-- create user data view
create or replace FORCE view ppm_data_space_user_v as
select 
    u.user_id,
    to_char(ou.org_unit_id) as data_space_id
from krsc_org_units ou, krsc_org_unit_members oum, knta_users u
where u.user_id = oum.user_id
and ou.enabled_flag = 'Y'
and ou.primary_flag = 'Y' 
and ou.org_unit_id = (
  select temp.org_unit_id
  from krsc_org_units temp
  where temp.parent_org_unit_id = -1
  connect by temp.org_unit_id = prior temp.parent_org_unit_id
  start with temp.org_unit_id = oum.org_unit_id
);

-- create resource pool data view
create or replace FORCE view ppm_data_space_resource_pool_v  as
select 
    rp.resource_pool_id, 
    to_char(ou.org_unit_id) as data_space_id
from krsc_org_units ou, rsc_resource_pools rp
where rp.org_unit_id is not null
and ou.enabled_flag = 'Y'
and ou.primary_flag = 'Y' 
and ou.org_unit_id = (
  select temp.org_unit_id
  from krsc_org_units temp
  where temp.parent_org_unit_id = -1
  connect by temp.org_unit_id = prior temp.parent_org_unit_id
  start with temp.org_unit_id = rp.org_unit_id
);

-- create team data view
create or replace FORCE view ppm_data_space_team_v as
select 
    t.team_id, 
    to_char(ou.org_unit_id) as data_space_id
from krsc_org_units ou, rsc_resource_pools rp, team_teams t
where t.resource_pool_id = rp.resource_pool_id
and rp.org_unit_id is not null
and ou.enabled_flag = 'Y'
and ou.primary_flag = 'Y' 
and ou.org_unit_id = (
  select temp.org_unit_id
  from krsc_org_units temp
  where temp.parent_org_unit_id = -1
  connect by temp.org_unit_id = prior temp.parent_org_unit_id
  start with temp.org_unit_id = rp.org_unit_id
);

-- create org unit data view
create or replace FORCE view ppm_data_space_org_unit_v as
select 
  org_unit_id,
  to_char(CONNECT_BY_ROOT org_unit_id) as data_space_id
from krsc_org_units o
connect by prior o.org_unit_id = o.parent_org_unit_id
start with org_unit_id in (
select 
  org_unit_id
from krsc_org_units ou
where ou.enabled_flag = 'Y' 
and ou.parent_org_unit_id = -1
 );

-- create request data view
create or replace FORCE view ppm_data_space_request_v  as
select 
    req.request_id,
    to_char(ou.org_unit_id) as data_space_id
from krsc_org_units ou, krsc_org_unit_members oum, kcrt_requests req
where req.created_by = oum.user_id
and ou.enabled_flag = 'Y'
and ou.primary_flag = 'Y' 
and ou.org_unit_id = (
  select temp.org_unit_id
  from krsc_org_units temp
  where temp.parent_org_unit_id = -1
  connect by temp.org_unit_id = prior temp.parent_org_unit_id
  start with temp.org_unit_id = oum.org_unit_id
);

Back to top