ROLE NAMING AND CREATION
The role naming standard is based upon the Role Based Access Control (RBAC) security model and the IDIR naming standard and should be consistently applied across platforms, databases and users within DataBC.
This page describes information required to:
- request a new role, including the timeline for the fulfillment of the request
- implementation of roles, including but not limited to the role types, naming requirements and access types
- granting IDIR and proxies and proxies to roles
AUDIENCE | ||
---|---|---|
Data Managers | Database Administrators | Application Administrators |
Table of Contents
ROLE CREATION REQUEST
To request a new role to access a dataset in the BCGW, please open a ticket with the Data Systems & Services request system, using the ‘Other’ option with the Subject of Request: BCGW Role Access. In the description, please specify:
- the schema and object name
- the role name (if it already exists)
- IDIR(s) for the people that require access
These requests primarily result from net new data publications to the BCGW where named user security is required for application access. Schema level roles will already exist unless a new schema is being created for an internal application.
All BCGW objects being modelled in the DataBC repository should indicate which role(s) it will be granted to. Therefore requests for new roles should happen before the physical modelling is complete.
Timelines
Depending on existing requests and staff availability, new role requests may take up to 10 business days to be completed. If there is requirement to have it completed in less than 10 business days please open a ticket with the Data Systems & Services request system, using the ‘Other’ option with the Subject of Request: BCGW Role Access - Urgent.
ROLE IMPLEMENTATION
- Roles are to be created and granted to the same objects in all del/test/prod environments.
- Roles are to be created by the DataBC DAs but if unavailable can be created by the DataBC DBAs.
- Users are to be granted in the appropriate environments
- Del/Test = data managers
- Prod = data managers and users
Role Types
There are 5 types of standardized roles for both BCGW and DBC Schemas:
- All Schema Level Roles
- Individual Schema Roles
- Specified Named User Roles
- External Application Access Roles
- Internal Application Access Roles
Naming Role Requirements
When naming roles, use the following requirements to name roles:
- Use underscores in place of spaces.
- Use only the characters A-Z, underscore( _ ), and 0-9.
- Use only upper case.
- Use a maximum of 30 characters, including underscores.
- Use the following naming convention segments:
Role Configuration Rollup
SRM_WHSE_ALL_GOV
- ^
SRM_WHSE_ALL_PUB
- ^
SRM_WHSE_%_BASE_PUB
- ^
- ^
SRM_WHSE_%_USER_GOV
- ^
SRM_REG_ALL_GOV
- ^
SRM_REG_%_USER_GOV
- ^
SRM_REG_ALL_PUB
- ^
SRM_REG_%_BASE_PUB
- ^
SRM_WHSE_ALL_BCEID
- ^
SRM_WHSE_ALL_BCEID
- ^
SRM_WHSE_%_USER_BCEID
- ^
- ^
SRM_REG_ALL_BCEID
- ^
SRM_REG_%_BCEID
- ^
All Schema Level Roles:
The following are the roles that are roll ups of each individual Schema Level roles. This is the level in which users and proxies are granted if for either Pub, Gov or BCeID <SRM_WHSE_ALL>_<ACCESS TYPE>
Examples:
Security Description | Current Role Names | Future Role Names* |
---|---|---|
Public | SRM_WHSE_ALL_PUB includes SRM_REG_ALL_PUB | WHSE_ALL_PUB |
IDIR | SRM_WHSE_ALL_GOV includes SRM_REG_ALL_GOV | WHSE_ALL_GOV |
IDIR and BCeID | SRM_WHSE_ALL_BCEID includes SRM_REG_ALL_BCEID | WHSE_ALL_BCEID |
- Future All role names have not yet been updated to match current naming standards
- These roles denote the security configuration required for application and services access
- Public and BCeID users cannot access directly the BCGW
Schema Level Roles:
The following format is applied for any new WHSE/REGSchemas: <SCHEMA>_<ACCESS TYPE>
Examples:
Security Description | BCGW Schema | Current Role Names | Future Role Names |
---|---|---|---|
Public | WHSE_BASEMAPPING | SRM_WHSE_BASEMAPPING_BASE_PUB | WHSE_BM_PUB |
IDIR | WHSE_BASEMAPPING | SRM_WHSE_BASEMAPPING_USER_GOV | WHSE_BM_GOV |
IDIR and BCeID | WHSE_BASEMAPPING | SRM_WHSE_BASEMAPPING_USER_BCEID | WHSE_BM_BCEID |
Public | REG_LAND_AND_NATURAL_RESOURCE | SRM_REG_LAND_NAT_RES_BASE_PUB | REG_LNR_PUB |
IDIR | REG_LAND_AND_NATURAL_RESOURCE | SRM_REG_LAND_NAT_RES_USER_GOV | REG_LNR_GOV |
IDIR and BCeID | REG_LAND_AND_NATURAL_RESOURCE | SRM_REG_LAND_NAT_RES_BCEID | REG_LNR_BCEID |
- New schema level role names have not yet been updated to match current naming standards
- Not all BCeID roles have been created for all schemas
- Users and Proxies should not be granted at this level
Specified Named User Roles:
The following format is applied as: <SCHEMA>_<PREFIX>_<WHO>_<ACCESS TYPE>
Examples:
Security Description | BCGW Schemas | Example Role Names |
---|---|---|
Named Users of the Emergency Response Team to have read permission to the granted Fresh Water Atlas objects in the WHSE_BASEMAPPING SCHEMA. | WHSE_BASEMAPPING | WHSE_BM_FWA_ERT_USER |
Named Users of custodial data managers who need to see datasets that may only be for application access or used to build other datasets but these objects themselves are not to be used by general named users. | WHSE_ARCHAEOLOGY | WHSE_RAAD_MGR |
External Application Access Roles:
The following format is applied as: <SCHEMA>_<PREFIX>_<WHO>_SELECT
Example:
Security Description | DBC Schemas | Example Role Names |
---|---|---|
for the application MIDA to have select rights for specific objects it can see in the warehouse. | WHSE_MINERAL_TENURE | WHSE_MT_MIDA_SELECT |
Internal Application Access Roles:
Two Roles are required for DataBC hosted applications and are to be used depending on the security required:
<SCHEMA>_<PREFIX>_SELECT
<SCHEMA>_<PREFIX>_ADMIN
Example:
Security Description | DBC Schemas | Example Role Names |
---|---|---|
for the application proxy requiring *select* access to it's own tables. | APP_ACDF | APP_ACDF_USER |
for the application proxy requiring *R/W* access to it's own tables. | APP_ACDF | APP_ACDF_ADMIN |
Schema Short Name Prefix Table
BCGW Schema | Schema Role Prefix |
---|---|
WHSE_ADMIN_BOUNDARIES | WHSE_AB |
WHSE_ARCHAEOLOGY | WHSE_ARCH |
WHSE_BASEMAPPING | WHSE_BM |
WHSE_CADASTRE | WHSE_CAD |
WHSE_CORP | WHSE_CORP |
WHSE_ENVIRONMENTAL_MONITORING | WHSE_EM |
WHSE_ENVIRONMENT_ASSESSMENT | WHSE_EA |
WHSE_ETL_ADMIN | WHSE_ETL |
WHSE_FISH | WHSE_FISH |
WHSE_FOREST_TENURE | WHSE_FT |
WHSE_FOREST_VEGETATION | WHSE_FV |
WHSE_FOREST_VEGETATION_<YEAR> | WHSE_FV_<last two numbers of the year> |
WHSE_HUMAN_CULTURAL_ECONOMIC | WHSE_HCE |
WHSE_IMAGERY_AND_BASE_MAPS | WHSE_IBM |
WHSE_LAND_AND_NATURAL_RESOURCE | WHSE_LNR |
WHSE_LAND_USE_PLANNING | WHSE_LUP |
WHSE_LEGAL_ADMIN_BOUNDARIES | WHSE_LAB |
WHSE_MINERAL_TENURE | WHSE_MT |
WHSE_PARKS | WHSE_PARK |
WHSE_REFERENCE | WHSE_REF |
WHSE_REG_COAST | WHSE_REGC |
WHSE_REG_INTERIOR | WHSE_REGI |
WHSE_SOILS | WHSE_SOIL |
WHSE_TANTALIS | WHSE_TANT |
WHSE_TERRESTRIAL_ECOLOGY | WHSE_TE |
WHSE_WASTE | WHSE_WASTE |
WHSE_WATER_MANAGEMENT | WHSE_WATM |
WHSE_WILDLIFE_INVENTORY | WHSE_WLDI |
WHSE_WILDLIFE_MANAGEMENT | WHSE_WLDM |
REG_HUMAN_CULTURAL_ECONOMIC | REG_HCE |
REG_IMAGERY_AND_BASE_MAPS | REG_IBM |
REG_LAND_AND_NATURAL_RESOURCE | REG_LNR |
REG_LEGAL_AND_ADMIN_BOUNDARIES | REG_LAB |
GRANTING IDIR AND PROXIES
-
Grants to Users and Proxies should be done at the WHSE_ALL_GOV level and any Specified Named User roles.
- For initial grants on new datasets loaded to the BCGW, business areas are responsible for providing a list of named users (IDIR) that require direct connect access via tools such as ArcMap, SQL Developer and Toad.
- This work will be done by the designated staff within the DataBC DAs.
-
After the initial setup by DataBC, for additional named users to be granted to the role in the BCGW, the business area should request access via the NRM IT Portal
- For those outside the Natural Resouce Ministries:
- Email NRMenquiries@gov.bc.ca with BCGW account name or
- Call (250) 952-6801
- For those outside the Natural Resouce Ministries: