How to manage security with metadata

Center of Excellence

1. Abstract

Security management is always a complex subject in big applications with large perimeters, we often need to manage multiple roles and rights for a single user, and the best solution to manage that is via the subscription hub Metadata, let’s see what the advanced options are of this feature

2. Context

In addition to the standard user information (such as Name, Account Name, and Email Address) that you specify when you add a user account, you can create and manage custom user metadata that is unique and meaningful to your organization. For example, you can store information about a user's department, office location, and job role.

The User metadata section in the Subscription Hub allows you to create and manage custom user metadata fields. These fields will appear under the User metadata table in the user profile panel and can also be included in the Enrollment process request form.

The end user will also be able to review or edit this information under the "My Profile" page within the Board platforms he/she can access.

User Metadata can be used to replace User Security Selection which was released by Subscription Hub.

3. Content

Before having the subscription hub, we were often faced with situations where we need to create many security profiles in order to manage the client's needs, sometimes even creating a different security profile for each user.

Now with the subscription hub, it is possible to manage differently this kind of needs

3.1 Managing security on defined entities

Let's see the following use case:

The need is to apply security on the two highlighted entities, TERRITORY LVL 2 and LOBS LVL 1

Before the subscription hub, we had to either (depending on the other needs)

• Create a DB profile for each existing combination (many DB profiles)
• Or apply selections directly as user level

Now with the subscription hub, it is possible to create a single DB profile but with dynamic selections based on the user metadata.

To do so, we need to:

• Step 1: Create two metadata corresponding to the two entities, as shown below:

You may choose the drop-down option to make sure to pick a correct value

• Step 2: Write the following script in either a DB profile or directly in the role.

Attention: This script fails if the metadata field is empty, you must use a different role in case the user does not have a restriction.

• Step 3 : to fill the metadata for the user

3.2 Managing security on undefined entities

Sometimes we face a situation where we need to apply security on multiple undefined entities, for example, the need to apply selections on many hierarchies and at any level of the hierarchy. This case can’t be managed by creating metadata for each entity, we must manage it more dynamically.

• Step 1: Create a generic metadata

Note that you must choose the text type of entry

• Step 2: use the command “SELECT” to define the perimeter. To select multiple members on an entity, use the comma (,) as a separator, no need to put space

• Step 3: Create a generic DB profile with a script as follows. Use the pipe “|” to use selects multiple entities

Remarks :

• After the creation/modification of metadata, a restart of the web server is necessary to apply the new changes
• It is possible to import users from a CSV file, so we can manage all the metadata settings via the CSV file
• Please see the syntax of the import file in case we have a selection of multiple members on an entity (the use of “Select xxx”)

Center of Excellence

Thanks @Abdelhadi Babaali for this content!

Julien CARDON

Hello,

Could you please add more info for on premise installation ?

We have created a new metadata field named "test" then in DB security we have SELECT my_entity = var(test)

but result in the following error :

Warning! <my_entity = CLAIM_VALUE_NOT_FOUND> Not Found

thx

julien

Abdelhadi Babaali

Hello Julien,

Thanks for this comment.

The on premise configuration is exactly the same as cloud.

Seeing the error message, it seems that the code you have in the metadata field does not exist in the entity "my_entity"

Thanks,

Abdelhadi

Julien CARDON

Hi Abdelhadi,

issue seems to be on user metadataside and not on entity side. Board is not able to query the user metadata.

In your example, each user metadata field has an additional field named "variable name". In on premise installation this field does not exists so I don't know exactly what is the name of the variable?

Jannik Schiller

Great post. Thanks for that.

What about technical limits like the amount of entity elements? How many elements can be stored for instance in the Territory parameter? Imagine you have 20000 territories for one user? Is there a chance to script that? 😅

Julian Weber

Hi Abdelhadi ,

I got the same warning like Julien and checked and verified the code within metadata and also in the entity. What is the solution therefore?
BR

Abdelhadi Babaali

Hi Julien and Julian,

I just checked with product team, unfortunatly the "variable" feature exists only on the Subscription Hub, so for cloud only, since the SubHub doesn't exist for on-premise.

Thanks,

Best.

Abdelhadi Babaali

Hi Jannik,

Thanks for your comment, good question, but I don't have any idea about the limits on number of elements, I let product team gives us more insights.
Anyway, when we have such a large entity, it is not a good practices to apply the security on that detailed level (whether with script or not), is it better to apply it on an aggregated level for better management and maintenance.

Thanks,

Best.

Julien CARDON

Hi Abdelhadi,

Thanks for the info.

Is-it possible to ask the product team to add this field "variable" in the ON PREMISE installation for a future version in the SYS ADMIN ⇒ USER METADATA screen

Regards

julien

Leone Scaburri

Hello @Julien CARDON,

using On Premise installation with traditional security you can set user's related security selection directly within user accounts