This collection provides views to support both the Static and Dynamic row-level user security models described in Patterns for Row-Level User Security.
Views in this Collection
- rls_UserStudentDataAuthorization View
- rls_UserAuthorization View
- rls_UserDim View
- rls_StudentDataAuthorization View
- rls_InsertStaffClassificationDescriptorScope Stored Procedure
- rls_RemoveStaffClassificationDescriptorScope Stored Procedure
- rls_ViewStaffClassificationDescriptorScope View
Install using the option code "RLS"
For more information, see the AMT Deployment Guide.
The ODS does not provide a means for explicit mapping between a staff person or job title and the types of scope envisioned in this proposal. Implementers will therefore need to map staff to scopes, preferably through job title / classification. The Descriptor Mapping tables support this through mapping of Staff Classification descriptor values to the following Descriptor Constants:
As described in Analytics Middle Tier Deployment Guide, a set of stored procedures are available to aid in maintaining the mapping of classifications to scopes. Those using the RLS collection will need to identify the staff classifications that should be mapped to each of these three scopes and insert rows into the
analytics_config.DescriptorMap table accordingly (possibly using the
analytics_config.rls_InsertStaffClassificationDescriptorScope stored procedure. For example, the following query lists the staff classifications in the default Ed-Fi template:
Then for each staff classification, decide what scope, if any, to provide. The following table lists potential scope mappings - please analyze carefully before applying in your situation.
|Support Services Staff
|none (system is not designed for state use)
|LEA System Administrator
And each of these can be setup with a SQL stored procedure call like the following:
Shared Instance Security Warning
The Row-Level Security collection requires an end date to be published on employment records to accurately reflect what staff are allowed to see. A missing end date can cause a security risk in Shared Instances. Any staff members missing employment dates may be able to inappropriately continue seeing student data if they move to another district in the same shared instance.
- No labels