I have created a row-level security filter on an entity – e.g. currently logged user can see only his invoices.
I would like the admin could see all the invoices, other users could see only their own ones.
The role level security can be triggered by defining a specific application role.
I would call the application role e.g. Data_Invoices_All
and assign it to the Admin.
But then it produces just the opposite what i would expected. The only one who is not able to see all the invoices is the root, becouse the security filter is applied only to application role DATA_Invoices_All
.
I can imagine a couple of soultions, but none of them is good enough:
-
Define an application role called e.g.
DATA_Invoice_OnlyMy
and assign it to all except of Admin. The problem is then when somebody creates a new UserRole and forget to assign theDATA_Invoice_OnlyMy
application role, the users could see all the invoices. -
Make a special menuitem for the Admin (depending on e.g
FRM_All_invoices
) and use another datastructure with row level security turned off. The downside of this approach is a neccessity to maintain two very similar datasets and also in my particular use case I can’t afford to switch off all security filters becouse i need other ones to be applied.
Is there some more elegant solution? E.g. somehow define, that the row level security rule is applied if you are not in some role?