I have created a row-level security filter on an entity – e.g. currently logged user can see only his invoices.
I would like the admin could see all the invoices, other users could see only their own ones.
The role level security can be triggered by defining a specific application role.
I would call the application role e.g.
Data_Invoices_All and assign it to the Admin.
But then it produces just the opposite what i would expected. The only one who is not able to see all the invoices is the root, becouse the security filter is applied only to application role
I can imagine a couple of soultions, but none of them is good enough:
Define an application role called e.g.
DATA_Invoice_OnlyMyand assign it to all except of Admin. The problem is then when somebody creates a new UserRole and forget to assign the
DATA_Invoice_OnlyMyapplication role, the users could see all the invoices.
Make a special menuitem for the Admin (depending on e.g
FRM_All_invoices) and use another datastructure with row level security turned off. The downside of this approach is a neccessity to maintain two very similar datasets and also in my particular use case I can’t afford to switch off all security filters becouse i need other ones to be applied.
Is there some more elegant solution? E.g. somehow define, that the row level security rule is applied if you are not in some role?