/
Creating a Fine-Grain Access Control (FGAC)

Creating a Fine-Grain Access Control (FGAC)

Business case: Allow NTC advisors to see all overrides entered in SFASRPO, but can only add/delete/update override records with the ‘PRE-REQ’ Permit Type.

Identify or define a new domain - GTVFDMN

Filter GTVFDMN to determine if your domain exists. Domains should be named based on the affected table and should follow the following naming convention:

SB_SFRSRPO_VBS

  • S: Student

  • B: Banner

  • SFRSRPO: affected table

  • VBS: indicates that we are using value-based security on this domain.

Note the existing domain. To create a new domain:

Click Insert. Using the naming convention, define a new name and give it a description. Save.

image-20240719-131120.png

Connect the domain to the driver table - GORFDMN

If you created a new domain, connect it to its driver table in GORFDMN.

Click Insert. Select or enter the domain. Enter or select the driver table. Select or enter VBS. Save.

image-20240719-130819.png

Create/identify the business profile code - GTVFBPR

In this step we’re creating or identifying the code representing the group of individuals this rule applies to.

Select an existing business profile or create a new one by clicking Insert. Enter the code and Description. Save.

Business profiles are groups of individuals; these individuals are being grouped based on their need to do the task the rules allow them to do.

image-20240719-132942.png

Create/identify the group - GTVFGAC

A group is made up of one or more rules. In this step, we’re creating/identifying the group code we’ll later link the rules to.

Determine if a group exists to which you are adding this rule. If not, create a new group by clicking Insert. Enter the Code and Description. Save.

Groups should be named oriented with their function.

image-20240719-132623.png

Create the rules for the domain - GORFDPL

Important historical context

SQL has been historically entered in GORFDPL (domain) instead of GOAFGAC (group). Given the long-standing utilization of FGAC, when maintaining existing or creating new rules, use GORFDPL.

Ellucian recommends as a best practice, because domains are aligned with a table, refrain from creating domain level rules unless you have an exceptional circumstance. However, because this has been a historical practice, has not been problematic, and has given us the functionality needed, we will continue entering SQL in GORFDPL rather than GOAFGAC.

Click Insert. Select/enter the domain and table. Check the Active Indicator box. Save.

If you had to create a new domain in the first step OR you created a rule container for an existing domain with a new associated table: have a DBA run gfvbsaddpol.sql to create Oracle policies for all tables defined for the domain before moving to the next step. If available, use GORFDPS to create the policies instead of running the script.

If you used an existing domain + table combination, move to the next step after you’ve created the container. In this circumstance, running the script isn’t needed.

image-20240719-131643.png

Create rules for the group - GOAFGAC

Enter the group. Go.

Click Insert. Enter the domain you’re mapping to the group. Check the Active indicator. Press the keyboard Tab key to fill in the table previously mapped to the domain. Next block.

image-20240719-133946.png

Set access to predicate - GOAFGAC

In the Access to Predicate tab, select the business profile, or group of users, the rule applies to. Check the functions you want to apply this limitation to.

You could also or instead identify users for access to predicate settings. This could be helpful when testing: enter a user who may not be assigned to the business profile and use the same checkbox pattern as for the profile.

Save.

image-20240722-155153.png

Add users to the business profile - GOAFBPR

If the users this rule applies to has previously been established, you can skip this step.

Select/enter the Business Profile. Go.

Enter the User IDs for all users should should be in this business profile. Save.

Testing

Identify users

Identify a user in the business profile and a user NOT in the business profile. Impersonate these users in TEST.

In this example, we’re limiting those in the business profile to only adding/deleting/updating the PRE-REQ override code, but they need to see all existing overrides in SFASRPO.

Expected results

User in the business profile

  • All existing overrides are visible.

  • When attempting to enter a PRE-REQ override, the record is saved:

    image-20240719-140716.png

  • When attempting to enter a CAPACITY override, they get an error and the record is not saved:

    image-20240719-135007.png

  • When attempting to delete an existing CAPACITY override, they get an error and changes are not saved:

    InBP_Delete.mp4

  • When attempting to update an existing DEPARTMENT override, they get an error and changes are not saved:

    InBP_Update.mp4
User NOT IN the business profile

All existing overrides are visible, and the user can add/delete/update existing overrides with all changes saved.

Foundational concepts

The domain is mapped to a driver table (in GORFDMN).

The domain holds the SQL (in GORFDPL).

The group is mapped to the [domain + driver table] (in GOAFGAC).

The group is mapped to the business profile (in GOAFGAC > Access to Predicate).

Business profile examples

TUL_REG_ACDEP_USERS

Business profile

TUL_REG_ACDEP_USERS

Domain

TUL_REG_REGS

Driver table

SFTREGS

Group

TUL_REG_DEPT_USER

Exists (Select 'X'
from ssbsect
where sftregs_crn = ssbsect_crn
and sftregs_term_code = ssbsect_term_code
and (ssbsect_schd_code = 'HTH'
or ssbsect_schd_code = 'INT'
or ssbsect_schd_code = 'IND'))

TUL_REG_APMS_USERS

Business profile

TUL_REG_ACDEP_APMS_USERS

Domain

TUL_REG_APMS_REGS

Driver table

SFTREGS

Group

TUL_REG_APMS_DEPT_USERS

Exists (Select 'X'
from ssbsect
where sftregs_crn = ssbsect_crn
and sftregs_term_code = ssbsect_term_code and ((ssbsect_schd_code in ('HTH' ,'INT' ,'IND'))
or (ssbsect_subj_code = 'APMS')))

TUL_REG_ACDEP_USERS

Business profile

TUL_REG_ACDEP_USERS

Domain

TUL_REG_SECT

Driver table

SSBSECT

Group

TUL_REG_DEPT_USER

ssbsect_schd_code in ('HTH','IND','INT')

TUL_REG_XTLS_REGS

Business profile

TUL_REG_EXT_LS

Domain

TUL_REG_XTLS_REGS

Driver table

SFTREGS

Group

TUL_REG_EXT_LS

Exists (Select 'X'
from sorlcur
where sorlcur_pidm = sftregs_pidm
and sorlcur_levl_code in ('PR', 'P2', 'P3')

TUL_REG_XTCS_REGS

Business profile

TUL_REG_CONT_STUD_USERS

Domain

TUL_REG_XTCS_REGS

Driver table

SFTREGS

Group

TUL_REG_CONT_STUD_USERS

Exists (Select 'X'
from sorlcur
where sorlcur_pidm = sftregs_pidm
and sorlcur_coll_code = 'CS')

 

On this page