User Tools

Site Tools


kona_auth

TOGA 개발자 에서 권한 설정 참고

소유자

  • 소유자는 해당하는 포털 혹은 메뉴, 레포트의 소유를 나타낸다.
  • 소유자는 사용자를 추가하는 것과 비슷할 수 있지만 좀 더 명확한 의미에서 소유자를 나타낸다.

권한 상속

  • 상위 PARENT 의 권한을 상속 받는 개념이며 중간에 권한 상속의 체크가 없을때까지의 상위의 권한을 상속 받는다.
  • PARENT 를 따라 올라가다 권한상속 체크가 없는 PARENT 를 만나면 해당 PARENT 의 권한만을 상속 받으며
  • 해당 PARENT 의 하위에 있는 권한상속 체크가 되어있는 권한은 모두 합하여 하위에서 상속을 받는다.

사용자 추가

  • 사용자를 추가하거나 그룹, 역활 들을 추가 할 수 있다.
  • 특정 사용자만 접근을 허용하거나 하는 제한이 필요할때 사용도 가능.

사용 권한

  • 사용자를 추가한 후 선택을 하면 해당 사용자에 대한 권한을 지정할 수 있다.
  • 기본적으로 해당 포털 혹은 메뉴 , 레포트에는 관리 권한이 빠질 수 없다.(필수)

추가 사항

  • 권한 상속을 하지 않고 사용하고자 할 경우에 필수로 ROLE_USER 나 ROLE_SYSTEM_ADMIN 혹은 두개 다 역활을 등록 해줘야한다.
  • 역활이 없을경우 몇가지 상황에서 접근 제한 오류가 발생함.
  • 사용자에게 역활이 있는것과 역활을 직접 추가 하는것은 다름. 사용자에게 역활이 있으니 역활 등록을 안하는것은 안됩니다.
  • ROLE_SYSTEM_ADMIN을 추가하지 않으면 권한상속을 헤재 할수 없도록 수정(2016년)

SQL을 통한 권한 별 조건 확인

/* 동적 그룹별 유저목록 */
 
WITH TEMP1 AS(--user.xml 에 정의된 항목들
      SELECT 'id'                  AS CODE, '아이디'              AS NAME FROM DUAL UNION ALL
      SELECT 'name'                AS CODE, '이름'                AS NAME FROM DUAL UNION ALL
      SELECT 'USER_FLAG'           AS CODE, '추가사용자'          AS NAME FROM DUAL UNION ALL
      SELECT 'EMPCODE'             AS CODE, '사원번호'            AS NAME FROM DUAL UNION ALL
      SELECT 'EMPNAME'             AS CODE, '사원명'              AS NAME FROM DUAL UNION ALL
      SELECT 'ISADMIN'             AS CODE, 'BPM관리자여부'       AS NAME FROM DUAL UNION ALL --1,0
      SELECT 'ISCONSORTIUMMANAGER' AS CODE, '컨소시엄관리자여부'  AS NAME FROM DUAL UNION ALL --1,0
      SELECT 'GLOBALCOM'           AS CODE, '회사명'              AS NAME FROM DUAL UNION ALL
      SELECT 'JIKNAME'             AS CODE, '직급'                AS NAME FROM DUAL UNION ALL
      SELECT 'PARTCODE'            AS CODE, '부서코드'            AS NAME FROM DUAL UNION ALL
      SELECT 'POSITION'            AS CODE, 'POSITION'            AS NAME FROM DUAL UNION ALL
      SELECT 'JOB'                 AS CODE, 'JOB'                 AS NAME FROM DUAL UNION ALL
      SELECT 'POSITION_NAME'       AS CODE, 'POSITION_NAME'       AS NAME FROM DUAL 
)
, TEMP2 AS(
     SELECT GROUP_ID ,     -- 동적그룹
            ATTR_NAME,     -- 사용자속성  NULL: 폴더
            CRITERIA,      --비교기준  = , >
            ATTR_VALUE,    --조건값
            RULE_ID,
            RULE_TYPE,     --CL: 폴더, CR: 조건
            RULE_DESC,
            PARENT_ID,
            CLAUSE,        --AND , OR
            IS_NEG,        --부정여부
            SEQ
      FROM KONA_DGROUP_RULE 
     WHERE 1= 1
--    AND GROUP_ID = 'GIO_FNF_비재무'
     ORDER BY GROUP_ID,
              PARENT_ID NULLS FIRST,
              SEQ
)
SELECT  DECODE(ATTR_NAME,NULL,GROUP_ID,'  ㄴ '||GROUP_ID) AS GROUP_ID,
        TEMP1.NAME AS ATTR_NAME,
        DECODE(CRITERIA,'AO1','=',CRITERIA) CRITERIA,
        ATTR_VALUE,
        RULE_DESC,
        CLAUSE
   FROM TEMP2 
        LEFT OUTER JOIN TEMP1
     ON TEMP2.ATTR_NAME=TEMP1.CODE
;
 
 
 
 
/* 그룹별 유저목록 */
WITH TEMP AS (
SELECT GROUP_ID,
       GROUP_NAME,
       GROUP_DESC,
       '1' AS ORD
  FROM KONA_GROUP
UNION ALL
SELECT A.GROUP_ID,
       A.USER_ID,
       B.EMPNAME,
       '2' AS ORD
FROM KONA_GROUP_USER A 
     JOIN EMPTABLE B
     ON A.USER_ID = B.EMPCODE
)
SELECT DECODE(ORD,'1', GROUP_ID,'2','  ㄴ '||GROUP_ID) GROUPP,
       GROUP_NAME,
       GROUP_DESC       
  FROM TEMP
 ORDER BY GROUP_ID,
          ORD,
          GROUP_NAME
  ;
 
/* 그룹별 ROLE */
WITH TEMP1 AS (
  SELECT 'ROLE_PORTAL_ADMIN'        AS CODE, '포털관리권한'             AS LABEL FROM DUAL UNION
  SELECT 'ROLE_POWER_USER'          AS CODE, '고급사용자(관리자로그인)' AS LABEL FROM DUAL UNION
  SELECT 'ROLE_MART_ADMIN'          AS CODE, '데이타마트관리권한'       AS LABEL FROM DUAL UNION
  SELECT 'ROLE_META_ADMIN'          AS CODE, '메타데이타관리권한'       AS LABEL FROM DUAL UNION
  SELECT 'ROLE_USER'                AS CODE, '일반사용자(로그인권한)'   AS LABEL FROM DUAL UNION
  SELECT 'ROLE_UNIVERSE_ADMIN'      AS CODE, '유니버스관리권한'         AS LABEL FROM DUAL UNION
  SELECT 'ROLE_MEETING_MEMO_WRITER' AS CODE, '회의체시트메모작성권한'   AS LABEL FROM DUAL UNION
  SELECT 'ROLE_KPI_ADMIN'           AS CODE, 'KPI사용권한'              AS LABEL FROM DUAL UNION
  SELECT 'ROLE_LOG_ADMIN'           AS CODE, '로그관리권한'             AS LABEL FROM DUAL UNION
  SELECT 'ROLE_CONFIG_ADMIN'        AS CODE, '환경설정관리권한'         AS LABEL FROM DUAL UNION
  SELECT 'ROLE_SYSTEM_ADMIN'        AS CODE, '시스템관리자'             AS LABEL FROM DUAL UNION
  SELECT 'ROLE_REPORT_ADMIN'        AS CODE, '레포트관리권한'           AS LABEL FROM DUAL UNION
  SELECT 'ROLE_OWNER'               AS CODE, '객체소유자'               AS LABEL FROM DUAL UNION
  SELECT 'ROLE_SECURITY_ADMIN'      AS CODE, '보안 관리권한'            AS LABEL FROM DUAL 
)
, TEMP2 AS(
  SELECT GROUP_ID, ROLE_ID FROM KONA_GROUP_AUTH 
)
SELECT TEMP2.GROUP_ID, 
       TEMP2.ROLE_ID ,
       TEMP1.LABEL
  FROM TEMP2 
       LEFT OUTER JOIN TEMP1
    ON TEMP2.ROLE_ID=TEMP1.CODE
  ORDER BY GROUP_ID
 
;
/* 동적그룹별 ROLE */
WITH TEMP1 AS (
  SELECT 'ROLE_PORTAL_ADMIN'        AS CODE, '포털관리권한'             AS LABEL FROM DUAL UNION
  SELECT 'ROLE_POWER_USER'          AS CODE, '고급사용자(관리자로그인)' AS LABEL FROM DUAL UNION
  SELECT 'ROLE_MART_ADMIN'          AS CODE, '데이타마트관리권한'       AS LABEL FROM DUAL UNION
  SELECT 'ROLE_META_ADMIN'          AS CODE, '메타데이타관리권한'       AS LABEL FROM DUAL UNION
  SELECT 'ROLE_USER'                AS CODE, '일반사용자(로그인권한)'   AS LABEL FROM DUAL UNION
  SELECT 'ROLE_UNIVERSE_ADMIN'      AS CODE, '유니버스관리권한'         AS LABEL FROM DUAL UNION
  SELECT 'ROLE_MEETING_MEMO_WRITER' AS CODE, '회의체시트메모작성권한'   AS LABEL FROM DUAL UNION
  SELECT 'ROLE_KPI_ADMIN'           AS CODE, 'KPI사용권한'              AS LABEL FROM DUAL UNION
  SELECT 'ROLE_LOG_ADMIN'           AS CODE, '로그관리권한'             AS LABEL FROM DUAL UNION
  SELECT 'ROLE_CONFIG_ADMIN'        AS CODE, '환경설정관리권한'         AS LABEL FROM DUAL UNION
  SELECT 'ROLE_SYSTEM_ADMIN'        AS CODE, '시스템관리자'             AS LABEL FROM DUAL UNION
  SELECT 'ROLE_REPORT_ADMIN'        AS CODE, '레포트관리권한'           AS LABEL FROM DUAL UNION
  SELECT 'ROLE_OWNER'               AS CODE, '객체소유자'               AS LABEL FROM DUAL UNION
  SELECT 'ROLE_SECURITY_ADMIN'      AS CODE, '보안 관리권한'            AS LABEL FROM DUAL 
)
, TEMP2 AS(
  SELECT GROUP_ID, ROLE_ID FROM KONA_DGROUP_AUTH 
)
SELECT TEMP2.GROUP_ID, 
       TEMP2.ROLE_ID ,
       TEMP1.LABEL
  FROM TEMP2 
       LEFT OUTER JOIN TEMP1
    ON TEMP2.ROLE_ID=TEMP1.CODE
  ORDER BY GROUP_ID
  ;

SQL을 통한 포탈의 권한 확인

WITH TEMP AS (
SELECT * FROM 
      (SELECT MENU_ID
           , MENU_NM
           , PORTAL_ID
           , TYPE
           , MENU_URL
           , PARENT_ID
           , IS_VISIBLE
           , SEQ
           , '1' AS GUBUN
       FROM KONA_PORTAL_MENU
      WHERE TYPE = 'MENU'
        AND PORTAL_ID = 'P0003'
--        AND IS_VISIBLE = 'Y'
      UNION 
      SELECT MENU_ID
           , MENU_NM
           , PORTAL_ID
           , TYPE
           , MENU_URL
           , PARENT_ID
           , IS_VISIBLE
           , SEQ
           , '2' AS GUBUN
       FROM KONA_PORTAL_MENU
      WHERE TYPE = 'REPORT'
        AND PORTAL_ID = 'P0003'
--        AND IS_VISIBLE = 'Y'
        ) MENU
)
, TEMP2 AS(
SELECT PORTAL_ID
     , MENU_ID
     , LEVEL LV
     , SYS_CONNECT_BY_PATH('('||SUBSTR(TYPE,0,1)||')'||MENU_NM,'>>') MENU_NM
--     , TYPE
     , MENU_URL
     , PARENT_ID
     , IS_VISIBLE
     , SEQ
     , GUBUN
  FROM TEMP 
START WITH PARENT_ID IS NULL
CONNECT BY PRIOR MENU_ID =  PARENT_ID
ORDER SIBLINGS BY GUBUN DESC, SEQ
)
, TEMP3 AS (
SELECT 
       MENU.PORTAL_ID
     , MENU.MENU_ID
     , MENU.LV
     , MENU.MENU_NM
--     , MENU.TYPE
     , MENU.MENU_URL
     , MENU.PARENT_ID
     , MENU.IS_VISIBLE
     , MENU.SEQ
     , MENU.GUBUN
     , AC.OBJ_ID
     , AC.ACL_ID
     , AC.OBJ_TYPE
     , AC.INHERIT 
     , AC.ACE_ID
     , AC.SID
     , AC.SID_TYPE
     , AC.AUD_SUC
     , AC.AUD_FAIL
     , AC.GRANT_MASK
     , AC.REJECT_MASK
     , AC.ACE_SEQ
  FROM TEMP2 MENU
,(
      SELECT ACL.OBJ_ID
           , ACL.ACL_ID
           , ACL.OBJ_TYPE
           , ACL.INHERIT 
           , ACE.ACE_ID
           , ACE.SID
           , ACE.SID_TYPE
           , ACE.AUD_SUC
           , ACE.AUD_FAIL
           , ACE.GRANT_MASK
           , ACE.REJECT_MASK
           , ACE.SEQ AS ACE_SEQ
        FROM KONA_ACL ACL
           , KONA_ACE ACE
      WHERE ACL.ACL_ID= ACE.ACL_ID
        AND ACL.OBJ_TYPE IN ('com.eyeq.kona.model.portal.PortalMenu'
                           , 'com.eyeq.kona.model.portal.Portal'
                           , 'com.eyeq.kona.model.report.Report'
                           , 'com.eyeq.kona.model.report.ReportCategory')
     ORDER BY 
             CASE WHEN ACE.SID_TYPE='R' THEN '1_R'
                  WHEN ACE.SID_TYPE='D' THEN '2_G'
                  WHEN ACE.SID_TYPE='G' THEN '3_D'
                  WHEN ACE.SID_TYPE='P' THEN '4_P'
             ELSE ACE.SID_TYPE 
             END DESC
                  ) AC
WHERE MENU.MENU_ID = AC.OBJ_ID(+)
)
SELECT PORTAL_ID
     , MENU_ID
     , MENU_NM
--     , TYPE                    --메뉴 OR 레포트
     , IS_VISIBLE                --사용자서비스에서보임여부
     , INHERIT                   --상속여부 수정전:NULL, 
     , SID                       --권한대상
     , CASE WHEN SID_TYPE='G' THEN '그룹권한'
            WHEN SID_TYPE='D' THEN '동적그룹권한'
            WHEN SID_TYPE='R' THEN 'ROLE권한'
            WHEN SID_TYPE='P' THEN '유저권한'
        ELSE SID_TYPE
        END AS SID_TYPE          --권한종류       
     , CASE WHEN GRANT_MASK=1 THEN '읽기허용'
            WHEN GRANT_MASK=2 THEN '읽기허용'
            WHEN GRANT_MASK=4 THEN '생성허용'
            WHEN GRANT_MASK=8 THEN '삭제허용'
            WHEN GRANT_MASK=15 THEN '읽기,쓰기,생성,삭제허용'
            WHEN GRANT_MASK=16 THEN '관리허용'
            WHEN GRANT_MASK=23 THEN '읽기,쓰기,생성,관리허용'
            WHEN GRANT_MASK=31 THEN '읽기,쓰기,생성,삭제,관리허용'
      ELSE NULL
      END AS GRANT_MASK_DESC     --허용
     , CASE WHEN REJECT_MASK=1 THEN '읽기거부'
            WHEN REJECT_MASK=2 THEN '읽기거부'
            WHEN REJECT_MASK=4 THEN '생성거부'
            WHEN REJECT_MASK=8 THEN '삭제거부'
            WHEN REJECT_MASK=15 THEN '읽기,쓰기,생성,삭제거부'
            WHEN REJECT_MASK=16 THEN '관리거부'
            WHEN REJECT_MASK=23 THEN '읽기,쓰기,생성,관리거부'
            WHEN REJECT_MASK=31 THEN '읽기,쓰기,생성,삭제,관리거부'
      ELSE NULL
      END AS REJECT_MASK_DESC   --거부 
FROM TEMP3
;
kona_auth.txt · Last modified: 2017/01/26 14:25 by khjang