Row-Level Security Collection

Overview

This collection provides views to support both the Static and Dynamic row-level user security models described in Patterns for Row-Level User Security.

Views in this Collection

Installation

Install using the option code "RLS"

.\EdFi.AnalyticsMiddleTier.Console.exe -c "..." -o RLS

For more information, see the AMT Deployment Guide.

Configuration

The ODS does not provide a means for explicit mapping between a staff person or job title and the types of scope envisioned in this proposal. Implementers will therefore need to map staff to scopes, preferably through job title / classification. The Descriptor Mapping tables support this through mapping of Staff Classification descriptor values to the following Descriptor Constants:

  • AuthorizationScope.District
  • AuthorizationScope.School
  • AuthorizationScope.Section

As described in Analytics Middle Tier Deployment Guide, a set of stored procedures are available to aid in maintaining the mapping of classifications to scopes. Those using the RLS collection will need to identify the staff classifications that should be mapped to each of these three scopes and insert rows into the analytics_config.DescriptorMap  table accordingly (possibly using the analytics_config.rls_InsertStaffClassificationDescriptorScope stored procedure. For example, the following query lists the staff classifications in the default Ed-Fi template:

select 
	Descriptor.CodeValue 
from 
	edfi.StaffClassificationDescriptor
inner join 
	edfi.Descriptor on 
	StaffClassificationDescriptor.StaffClassificationDescriptorId = Descriptor.DescriptorId

Then for each staff classification, decide what scope, if any, to provide. The following table lists potential scope mappings - please analyze carefully before applying in your situation.

ClassificationScope
​Instructional Aide​none
School Administrator

AuthorizationScope.School

Librarians/Media Specialistsnone
Substitute TeacherAuthorizationScope.Section
Counselornone
PrincipalAuthorizationScope.School
TeacherAuthorizationScope.Section
Assistant PrincipalAuthorizationScope.School
Operational Supportnone
Superintendent

AuthorizationScope.District

Instructional CoordinatorAuthorizationScope.School
School LeaderAuthorizationScope.School
Assistant SuperintendentAuthorizationScope.District
Othernone
Support Services Staffnone
LEA SpecialistAuthorizationScope.District
State Administratornone (system is not designed for state use)
LEA AdministratorAuthorizationScope.District
School SpecialistAuthorizationScope.School
LEA System Administratornone

And each of these can be setup with a SQL stored procedure call like the following:

-- SQL Server
exec analytics_config.rls_InsertStaffClassificationDescriptorScope 'School Specialist', null, 'AuthorizationScope.School';
-- or
exec analytics_config.rls_InsertStaffClassificationDescriptorScope @StaffDescriptor = 'School Specialist', @Scope = 'AuthorizationScope.School';

-- PostgreSQL
call analytics_config.rls_InsertStaffClassificationDescriptorScope ('School Specialist', null, 'AuthorizationScope.School');
-- or
call analytics_config.rls_InsertStaffClassificationDescriptorScope (StaffDescriptor := 'School Specialist', Scope := 'AuthorizationScope.School');

Contents



Shared Instance Security Warning

The Row-Level Security collection requires an end date to be published on employment records to accurately reflect what staff are allowed to see.  A missing end date can cause a security risk in Shared Instances.  Any staff members missing employment dates may be able to inappropriately continue seeing student data if they move to another district in the same shared instance.