Data separation (Beta)
You can use data separation to separate data by data spaces, and restrict members of a data space to view only the data that belongs to the data space.
Overview
Data separation enables you to separate the business data for different user groups. For example, in an organization that has a large number of resources from multiple departments, each resource manager can manage any resource from any department. You may want to restrict resource managers from a specific department to manage only resources within their own department, but not resources from other departments.
Data options
You can separate the following data by data spaces:
- Organization units
- Users
- Resources
- resources pools
- Teams
- Requests
Data separation steps
To use data separation, follow these high-level steps:
Step | Details |
---|---|
Preparation |
To use data separation, prepare the following: |
Customize validations if needed | Customize the associated validations, if needed. For details, see Customize associated validations. |
Enable feature toggles | Enable the related feature toggles. For details, see Enable feature toggles. |
Note: Data separation works in conjunction with the existing authorization methods. To view and access specific data, you should have the required access grants.
Preparation
This section describes the preparation work you need to do before using data separation.
Define data spaces by customizing the database view ppm_data_space_v.
You can define data spaces based on primary organization units, security groups, or your custom criteria. In the following sections of this topic, an example is provided to demonstrate the process of defining data spaces based on primary organization units. For details, see the Create data space meta data part in the Data separation example.
The following columns are required for the view:
Column | Description |
---|---|
data_space_name | The name of the data space. |
data_space_id | The ID of the data space. It can be number or any text. |
Associate PPM users with data spaces
Associate PPM users with the data space by customizing the database view ppm_data_space_member_v.
The following columns are required for this database view:
Column | Description |
---|---|
user_id | The ID of the PPM user. |
data_space_id | The ID of the data space with which the PPM user is associated. |
The Create data space member view part in the Data separation example shows the process of associating PPM users with data spaces based on primary org units.
By default, full data access is granted for all members in the system. To restrict members of a data space to view only the data that belong to the data space, you need to separate the data by data spaces.
Data to separate | Details |
---|---|
Separate users |
Customize the ppm_data_space_user_v database view. The following columns are required for the view:
For example, see the Create user data view part in the Data separation example. |
Separate resources |
Customize the ppm_data_space_resource_v database view. The following columns are required for the view:
For example, see the Create resource data view part in the Data separation example. |
Separate resource pools |
Customize the ppm_data_space_resource_pool_v database view. The following columns are required for the view:
For example, see the Create resource pool data view part in the Data separation example. |
Separate teams |
Customize the ppm_data_space_team_v database view. The following columns are required for the view:
For example, see the Create team data view part in the Data separation example. |
Separate org units |
Customize the ppm_data_space_org_unit_v database view. The following columns are required for the view:
For example, see the Create org unit data view part in the Data separation example. |
Separate requests |
Customize the ppm_data_space_request_v database view. The following columns are required for the view:
For example, see the Create request data view part in the Data separation example. |
Customize associated validations
After defining data spaces and separating data by data spaces, the next step is to customize the validations applied to the associated fields, if needed. This ensures that users can only access their authorized data when interacting with specific fields.
For example, after org units are separated by data spaces, you need to make sure that when selecting a parent org unit for a sub-org unit, only the org units explicitly permitted for the corresponding data space are available for selection. To do so, customize the validation used for selecting org units, as illustrated in the example below. For detailed steps on how to customize validations used by a field, see Use custom validations for system fields.
select org_unit_id || '@' || krsc_utils.Get_Org_Unit_Region_Name(org_unit_id) || '@' || primary_flag as org_unit_id, org_unit_name ,SUBSTR (SYS_CONNECT_BY_PATH (org_unit_name, '=>'), 3) hierarchy
FROM KRSC_ORG_UNITS
where UPPER(org_unit_name) like UPPER('?%')
and (org_unit_name like upper(substr('?',1,1)) || '%'
or org_unit_name like lower(substr('?',1,1)) || '%')
and enabled_flag = 'Y'
and (
exists (
select 1 from KNTA_USER_SECURITY us, KNTA_ACCESS_SECURITY acs, knta_security_groups sg
where us.security_group_id = acs.security_group_id and acs.security_group_id = sg.security_group_id
and sg.enabled_flag = 'Y'
and acs.access_grant_id = 1375 and us.user_id = [SYS.USER_ID])
or
org_unit_id in (select ou.org_unit_id from ppm_data_space_org_unit_v ou, ppm_data_space_member_v dsm where ou.data_space_id = dsm.data_space_id and dsm.user_id = [SYS.USER_ID] )
or
org_unit_id in (select ou.org_unit_id from krsc_org_units ou where ou.manager_id = [SYS.USER_ID] and exists(
select 1 from KNTA_USER_SECURITY us, KNTA_ACCESS_SECURITY acs, knta_security_groups sg
where us.security_group_id = acs.security_group_id and acs.security_group_id = sg.security_group_id
and sg.enabled_flag = 'Y'
and acs.access_grant_id = 132 and us.user_id = [SYS.USER_ID])
)
)
and (('[PRIMARY_FLAGHV]' = 'Y' and primary_flag = 'Y') OR
'[PRIMARY_FLAGHV]' = 'N') CONNECT BY PRIOR org_unit_id = parent_org_unit_id start with parent_org_unit_id=-1
order by org_unit_name
Ignore control of data separation
For superusers who can ignore the control of data separation, assign the Ignore Data Separation Controlled Access access grant.
Caution: Assign this access grant with caution, to ensure the appropriate protection and control of sensitive information in the system.
Enable feature toggles
After you set up the data spaces, separate data, and customize the associated validations, the last step is to enable the related feature toggles. For details on feature toggles, see Use feature toggles to turn on/off features.
Feature toggle | Details |
---|---|
Data Separation |
Enables the data separation feature. |
Data Separation of Users |
Enable Data Separation before enabling this feature. Restricts members of a data space to view only the PPM users that belong to the data space. You must also customize the ppm_data_space_user_v database view. For details, see Separate users. |
Resource Data Separation |
Enable Data Separation before enabling this feature. Restricts members of a data space to view only the resources that belong to the data space. You must also customize the ppm_data_space_resource_v database view. For details, see Separate resources. |
Resource Pool Data Separation |
Enable Data Separation before enabling this feature. Restricts members of a data space to view only the resource pools that belong to the data space. You must also customize the ppm_data_space_resource_pool_v database view. For details, see Separate resource pools. |
Team Data Separation |
Enable Data Separation before enabling this feature. Restricts members of a data space to view only the teams that belong to the data space. You must also customize the ppm_data_space_team_v database view. For details, see Separate teams. |
Organization Unit Data Separation |
Enable Data Separation before enabling this feature. Restricts members of a data space to view only the org units that belong to the data space. You must also customize the ppm_data_space_org_unit_v database view. For details, see Separate org units. |
Request Data Separation |
Enable Data Separation before enabling this feature. Restricts members of a data space to view only the requests that belong to the data space. You must also customize the ppm_data_space_request_v database view. For details, see Separate requests . |
Data separation example
The following example demonstrates how to define data spaces and separate data based on top-level org units in an Oracle database instance. Users belonging to any sub-org unit are able to access organization units, users, resources, resource pools,teams, and requests that were explicitly allowed for the top-level org unit.
Before customizing database views, perform the following tasks:
-
Establish a hierarchical organization model that is comprised of top-level org units with sub-org units. The top-level org units must be primary org units and enabled. The sub-org units can be of the matrix org unit type. For details, see Create and manage organization units.
- Distribute users among the sub-org units.
- To ensure the separation of resource pools and teams by data spaces, set the ENFORCE_ORG_UNIT_FOR_RESOURCE_POOL_AND_TEAM parameter to true. By doing so, a primary org unit is required to be associated when creating a resource pool or team. For details, see Create a resource pool and Create a team.
-- create data space meta data
create or replace FORCE view ppm_data_space_v as
select
org_unit_name as data_space_name,
to_char(org_unit_id) as data_space_id
from krsc_org_units ou
where ou.enabled_flag = 'Y'
and ou.parent_org_unit_id = -1;
-- create data space member view
create or replace FORCE view ppm_data_space_member_v as
select
u.user_id,
to_char(ou.org_unit_id) as data_space_id
from krsc_org_units ou, krsc_org_unit_members oum, knta_users u
where u.user_id = oum.user_id
and ou.enabled_flag = 'Y'
and ou.primary_flag = 'Y'
and ou.org_unit_id = (
select temp.org_unit_id
from krsc_org_units temp
where temp.parent_org_unit_id = -1
connect by temp.org_unit_id = prior temp.parent_org_unit_id
start with temp.org_unit_id = oum.org_unit_id
);
-- create resource data view
create or replace FORCE view ppm_data_space_resource_v as
select
rsc.resource_id,
to_char(ou.org_unit_id) as data_space_id
from krsc_org_units ou, krsc_org_unit_members oum, rsc_resources rsc
where rsc.user_id = oum.user_id
and ou.enabled_flag = 'Y'
and ou.primary_flag = 'Y'
and ou.org_unit_id = (
select temp.org_unit_id
from krsc_org_units temp
where temp.parent_org_unit_id = -1
connect by temp.org_unit_id = prior temp.parent_org_unit_id
start with temp.org_unit_id = oum.org_unit_id
);
-- create user data view
create or replace FORCE view ppm_data_space_user_v as
select
u.user_id,
to_char(ou.org_unit_id) as data_space_id
from krsc_org_units ou, krsc_org_unit_members oum, knta_users u
where u.user_id = oum.user_id
and ou.enabled_flag = 'Y'
and ou.primary_flag = 'Y'
and ou.org_unit_id = (
select temp.org_unit_id
from krsc_org_units temp
where temp.parent_org_unit_id = -1
connect by temp.org_unit_id = prior temp.parent_org_unit_id
start with temp.org_unit_id = oum.org_unit_id
);
-- create resource pool data view
create or replace FORCE view ppm_data_space_resource_pool_v as
select
rp.resource_pool_id,
to_char(ou.org_unit_id) as data_space_id
from krsc_org_units ou, rsc_resource_pools rp
where rp.org_unit_id is not null
and ou.enabled_flag = 'Y'
and ou.primary_flag = 'Y'
and ou.org_unit_id = (
select temp.org_unit_id
from krsc_org_units temp
where temp.parent_org_unit_id = -1
connect by temp.org_unit_id = prior temp.parent_org_unit_id
start with temp.org_unit_id = rp.org_unit_id
);
-- create team data view
create or replace FORCE view ppm_data_space_team_v as
select
t.team_id,
to_char(ou.org_unit_id) as data_space_id
from krsc_org_units ou, rsc_resource_pools rp, team_teams t
where t.resource_pool_id = rp.resource_pool_id
and rp.org_unit_id is not null
and ou.enabled_flag = 'Y'
and ou.primary_flag = 'Y'
and ou.org_unit_id = (
select temp.org_unit_id
from krsc_org_units temp
where temp.parent_org_unit_id = -1
connect by temp.org_unit_id = prior temp.parent_org_unit_id
start with temp.org_unit_id = rp.org_unit_id
);
-- create org unit data view
create or replace FORCE view ppm_data_space_org_unit_v as
select
org_unit_id,
to_char(CONNECT_BY_ROOT org_unit_id) as data_space_id
from krsc_org_units o
connect by prior o.org_unit_id = o.parent_org_unit_id
start with org_unit_id in (
select
org_unit_id
from krsc_org_units ou
where ou.enabled_flag = 'Y'
and ou.parent_org_unit_id = -1
);
-- create request data view
create or replace FORCE view ppm_data_space_request_v as
select
req.request_id,
to_char(ou.org_unit_id) as data_space_id
from krsc_org_units ou, krsc_org_unit_members oum, kcrt_requests req
where req.created_by = oum.user_id
and ou.enabled_flag = 'Y'
and ou.primary_flag = 'Y'
and ou.org_unit_id = (
select temp.org_unit_id
from krsc_org_units temp
where temp.parent_org_unit_id = -1
connect by temp.org_unit_id = prior temp.parent_org_unit_id
start with temp.org_unit_id = oum.org_unit_id
);