How to Properly setting up CSP-Application (Security)?

Hi,

posted some weeks ago in the "old" ZEN Google Group, maybe someone here can help to understand how to properly setting up a csp applications and contributing from the build-in caché security mechanism.

I´ve created a webapplication and wan´t to add further security to it using the smp. But... first things first.

I have two Databases let´s say DB1-LOGIN and DB2-Application. Each of this DBs has a resource assigned. DB1-LOGIN has a resource %DB1-LOGIN which has a public permission of 'read'. DB2 has a resource as well %DB2-Application with no public access.

I have defined two roles webapp-admin and webapp-user. Only webapp-admin and webapp-user are allowed to access DB2-Application. I´ve created to test users. test-admin (which has the webapp-admin assigned) and webapp-user (no special roles assigned). The CSP-Application in the smp has application role webapp-user. So test-user is automatically a webapp-user. So far so good.

Q1 - Must the defined ressources are also need to be added to the csp-application roles tab?
Q2 - How to set the required resource to run the csp-application (general tab - but listbox does not show any of my defined resources)?
Q3 - How to assign the resource to the roles webapp-admin and webapp-user?
Q4 - Securing Access to pages - ZEN-Page Class Parameter RESOURCE how to define under the given circumstances. I have pages which shall only be accessed by a webapp-admin. So I guess the parameter look like RESOURCE = "webapp-admin:U". But how to define this "use" - flag?

Best regards,

Sebastian

  • + 1
  • 0
  • 384
  • 7
  • 0

Comments

1. They must be granted to either application or user

2. Only resources of Service, Application and User type could be used there. %DB are database resources

3. SMP -> Menu -> View Roles -> Choose the role "webapp-admin" -> General Tab -> Priveleges -> Add -> choose the resoure -> OK -> Save

Repeat for webapp-user

4. Like this:

Parameter RESOURCE = "ResourceName1:Permission,ResourceName2,ResourceName3:Permission";

Where Permission is one of: READ, WRITE, USE

If Permission is skipped (see ResourceName2) then USE permission is checked.

Hi,

 

sry for the late response. I´ve managed to setup the application, roles and priveliges as suggested. My application does use a set of (currently) 20 stored procedures to fetch data from the server. The problem now is that the webapp-admin and webapp-user have no permission to run this stored procedures. I thought it would be sufficient to add the db ressource to the roles to access this stored procedures. Does this mean, that I need to add every single stored procedure to the sql procedure tab in the role definition?

best regards,

sebastian

AFAIK only the owner of the class (set using the Owner keyword on the class, defaulting to _SYSTEM) has automatic rights to invoke all of the SQL stored procedures that the class implements (as classmethods with the SqlProc keyword). Anyone else who needs to be able to invoke them will need the right granting to them, either directly or via a role.

I think a "GRANT EXECUTE ON SCHEMA xyz TO roleA, roleB" should be sufficient to give users with roleA or roleB the ability to run any stored procedure defined by any class in your xyz package, even classes / procedures that you haven't yet written.

Hi,
i did uses

GRANT EXECUTE ON SCHEMA MySchema ON WebApp-User,WebApp-Admin

unfortunatly this doesn´t work. Tells me that reserved word SCHEMA was found. Does the hypen (-) in the role names could also be a problem?

best regards,

sebastian

Hi,

well my dev system runs 2014.1 - so I guess I have to add the procedures manually to the role. Thanks for the help.

Best regards,

Sebastian