Row-Level Security Collection
Overview
This collection provides views to support both the Static and Dynamic row-level user security models described in Patterns for Row-Level User Security.
Views in this Collection
- rls_UserStudentDataAuthorization View
- rls_UserAuthorization View
- rls_UserDim View
- rls_StudentDataAuthorization View
- rls_InsertStaffClassificationDescriptorScope Stored Procedure
- rls_RemoveStaffClassificationDescriptorScope Stored Procedure
- rls_ViewStaffClassificationDescriptorScope View
Installation
Install using the option code "RLS"
.\EdFi.AnalyticsMiddleTier.Console.exe -c "..." -o RLS
For more information, see the AMT Deployment Guide.
Configuration
The ODS does not provide a means for explicit mapping between a staff person or job title and the types of scope envisioned in this proposal. Implementers will therefore need to map staff to scopes, preferably through job title / classification. The Descriptor Mapping tables support this through mapping of Staff Classification descriptor values to the following Descriptor Constants:
- AuthorizationScope.District
- AuthorizationScope.School
- AuthorizationScope.Section
As described in Analytics Middle Tier Deployment
Guide, a set of stored
procedures are available to aid in maintaining the mapping of classifications to
scopes. Those using the RLS collection will need to identify the staff
classifications that should be mapped to each of these three scopes and insert
rows into the analytics_config.DescriptorMap
table accordingly (possibly
using the analytics_config.rls_InsertStaffClassificationDescriptorScope
stored
procedure). For example, the following query lists the staff classifications in
the default Ed-Fi template:
select
Descriptor.CodeValue
from
edfi.StaffClassificationDescriptor
inner join
edfi.Descriptor on
StaffClassificationDescriptor.StaffClassificationDescriptorId = Descriptor.DescriptorId
Then for each staff classification, decide what scope, if any, to provide. The following table lists potential scope mappings - please analyze carefully before applying in your situation.
Classification | Scope |
---|---|
Instructional Aide | none |
School Administrator | AuthorizationScope.School |
Librarians/Media Specialists | none |
Substitute Teacher | AuthorizationScope.Section |
Counselor | none |
Principal | AuthorizationScope.School |
Teacher | AuthorizationScope.Section |
Assistant Principal | AuthorizationScope.School |
Operational Support | none |
Superintendent | AuthorizationScope.District |
Instructional Coordinator | AuthorizationScope.School |
School Leader | AuthorizationScope.School |
Assistant Superintendent | AuthorizationScope.District |
Other | none |
Support Services Staff | none |
LEA Specialist | AuthorizationScope.District |
State Administrator | none (system is not designed for state use) |
LEA Administrator | AuthorizationScope.District |
School Specialist | AuthorizationScope.School |
LEA System Administrator | none |
And each of these can be setup with a SQL stored procedure call like the following:
-- SQL Server
exec analytics_config.rls_InsertStaffClassificationDescriptorScope 'School Specialist', null, 'AuthorizationScope.School';
-- or
exec analytics_config.rls_InsertStaffClassificationDescriptorScope @StaffDescriptor = 'School Specialist', @Scope = 'AuthorizationScope.School';
-- PostgreSQL
call analytics_config.rls_InsertStaffClassificationDescriptorScope ('School Specialist', null, 'AuthorizationScope.School');
-- or
call analytics_config.rls_InsertStaffClassificationDescriptorScope (StaffDescriptor := 'School Specialist', Scope := 'AuthorizationScope.School');
The Row-Level Security collection requires an end date to be published on employment records to accurately reflect what staff are allowed to see. A missing end date can cause a security risk in Shared Instances. Any staff members missing employment dates may be able to inappropriately continue seeing student data if they move to another district in the same shared instance.