VPA Restrictions and Custom Data Access
The core provides additional API methods and binding expressions to allow application developers to customize how VPA restrictions are applied. Application developers must use the VPA programming guidelines described below when programming any data access code in Java or when creating custom SQL in the AXVW.
For an overview of VPA, see Application-Level Virtual Private Archibus
Implementing Custom Business Logic
When you implement custom business logic in Java, the standard Archibus APIs apply the VPA according to these rules:
- The DataSource API by default applies the VPA to all operations that read the data from the database, unless:
- If the
applyVpaRestrictions
property is set to false, the DataSource API does not use the VPA for any data reads, whether or not custom SQL is used. - Data transfer functions do not support
applyVpaRestrictions
to false - The
SqlUtils API
does not apply the VPA. - The
FieldFormula
andFieldOperation
APIs do not apply the VPA.
You usually do not need to use the VPA in workflow rules implementing custom business logic. For example:
- A user triggers a workflow rule that calculates average sqft/employee for the entire company. The calculation accesses all of the rooms data company wide, even though that particular user does not have access to all of the rooms data. The user will see the aggregated result – the sqft/employee figure – but will still never see the detail data.
- A user triggers a workflow rule that approves a project. The workflow rule may update an associated capital budget to which the user does not have access. The user never sees the capital budget, but the workflow rule still keeps the data in sync.
When developing custom business logic, you need to make a decision: to which category this Java code belongs:
Situation | Action |
---|---|
Producing raw data to be presented in a form or grid | Apply the VPA. |
Producing aggregated data | Typically, you do not need to apply the VPA. |
Implementing a workflow process | Typically, you do not apply the VPA. Exception: when the workflow rule should be executed only on the data that the current user can access |
To disable the VPA in an AXVW datasource, use the applyVpaRestrictions attribute:
<dataSource id="ds0" applyVpaRestrictions="false">
When writing custom SQL queries in the AXVW datasource, the default VPA restriction may be disabled using the >applyVpaRestrictions attribute and the restriction added to the custom SQL query directly using ${sql.vpaRestriction
}:
<dataSource id="ds0" applyVpaRestrictions="false">
<sql dialect="generic">SELECT rm_id FROM rm WHERE ${sql.vpaRestriction}</sql>
...
Examples of VPA programming in the AXVW can be found in ab-ex-report-grid-sql-vpa.axvw.
To customize default VPA restrictions when executing a custom SQL query:
- Disable default VPA restrictions for this DataSource:
DataSource ds = …
// do not apply the VPA restrictions
ds.setApplyVpaRestrictions(false);
- Add the VPA expression to the custom SQL query:
// use the VPA expression in the custom SQL query
// if the current user/role has no VPA, the expression will be resolved as (1=1)
String customSql = “SELECT COUNT(*) … FROM … WHERE … AND (${sql.vpaRestriction})”;
ds.addQuery(customSql);
To customize default VPA restrictions when executing a custom SQL query defined in the AXVW:
- Disable default VPA restrictions for this DataSource:
<dataSource id="ds0" applyVpaRestrictions="false">
- Add the VPA expression to the custom SQL query:
// use the VPA expression in the custom SQL query
// if the current user/role has no VPA, the expression will be resolved as (1=1)
<sql dialect="generic">SELECT COUNT(*) … FROM … WHERE … AND (${sql.vpaRestriction})</sql>
See Also
Add-In Manager/Reference: Binding Expressions/Binding Sources/Binding Sources: SQL
Further examples of VPA programming in the AXVW are found in the following view: