应用程序角色:允许使用者共享同一数据的不同视图

As a provider, you can enhance the consumer experience by including application roles in your Declarative Native App. An application role is a credential created within the context of a Declarative Native App. For information about application roles, see About application roles.

应用程序角色可隔离应用程序的安全性,因此不需要在使用者更广泛的组织安全模型中管理应用程序的特定安全凭据。 使用应用程序角色,提供商可以轻松控制对应用程序资源的访问。使用者账户则可以使用简单的 SQL GRANT 语句授予对应用程序逻辑和数据的访问权限。

例如,如果应用程序使用 Operations 应用程序角色访问日志表,则使用者无需在应用程序上下文之外维护该应用程序角色;他们只需要知道他们可以使用 Operations 应用程序角色与其支持团队共享该应用程序。

Using the manifest file, you define application roles, and assign them to content in the app. When the consumer installs the app, they can share the content with their organization members by assigning the application roles to their account roles and users. Consumers can also create hierarchies of application roles by assigning application roles to other application roles.

应用程序角色允许使用者以不同的方式与其组织成员共享数据。例如,应用程序可以包含两个笔记本来显示数据,一个包含数据的完整视图,另一个包含筛选视图。

包含同一数据的两个视图的应用程序组件。

使用者应用程序所有者则可以选择与团队共享筛选视图,同时自己仍然可以访问完整视图。

应用程序所有者将应用程序角色分配给其组织中的团队

当您使用应用程序角色允许访问数据库资源时,子资源将继承其父资源的角色。例如,如果将应用程序角色分配给架构,则该架构中的所有表和视图都会继承该角色。如果将应用程序角色分配给数据库,则该数据库中的所有架构、表和视图都将继承该角色。

为清单文件中的内容分配应用程序角色

  1. In the manifest file, in the top-level roles field, define the available application roles, for example, sales, marketing, and operations.

    roles:
  - sales:
      comment: "The sales role provides access to the filtered view of the sales data."
  - marketing:
      comment: "The marketing role provides access to the filtered view of the marketing data."
  - operations:
      comment: "The operations role provides access to the full view of the data, including logs."
    Copy

  2. 通过列表的形式为清单文件的内容分配应用程序角色。例如,roles: [sales, support]

    - customer_table:
  roles: [sales,marketing] # Accessible to sales and marketing, app owners
    Copy

  3. 要添加表,请将角色同时添加到表所在的 <named table>.roles<named schema>.roles 中。

    schemas:
  - sales_table:
    roles: [sales]
tables:
  - sales_table:
    roles: [sales]
    Copy

  4. 要添加视图,请将角色同时添加到视图所在的 <named view>.roles<named schema>.roles 中。

    schemas:
   - sales_view:
     roles: [sales]
views:
   - sales_view:
     roles: [sales]
    Copy

  5. 添加表的筛选视图时,不要添加基础表;这会阻止用户访问未筛选的数据。

  6. 要添加笔记本,请将角色添加到 <named notebook>.roles,并添加笔记本中所引用的表和视图(及其基础架构)。

    notebooks:
  - SALES_NB:
    main_file: ALL-DATA.ipynb
     roles: [sales]
     comment: Accessible to sales and app owners, references full view of the sales data
    Copy

  7. 添加引用表的筛选视图的笔记本时,不要添加基础表;这会阻止用户访问未筛选的数据。

  8. To give an object no app roles, either leave the field empty ([]) or omit it. These objects are only accessible by the app owner and roles with granted IMPORTED PRIVILEGES.

- my_schema:
  roles: [] # Accessible to app owners only
Copy

示例清单文件:

roles:
  - sales:
      comment: "The sales role provides access to the filtered view of the sales data."
  - marketing:
      comment: "The marketing role provides access to the filtered view of the marketing data."
  - operations:
      comment: "The operations role provides access to the full view of the log data."

application_content:
  notebooks:
    - SALES_NB:
        main_file: ALL-DATA.ipynb
        roles: [sales]
        comment: Accessible to sales and app owners, references full view of the sales data

    - MARKETING_NB:
        main_file: FILTERED.ipynb
        roles: [marketing] #
        comment: Accessible to marketing and app owners, references filtered view of the marketing data

shared_content:
  databases:
    - my_database:
        schemas:
          - my_schema:
              roles: [] # Accessible to app owners
              tables:
                - sales_table:
                    roles: [sales] # Accessible to sales, app owners
                - marketing_table:
                    roles: [marketing] # Accessible to marketing, app owners
                - customer_table:
                    roles: [sales,marketing] # Accessible to sales and marketing, app owners
                - logs_table:
                    roles: [operations] # Accessible to operations and app owners
              views:
                - sales_view:
                    roles: [sales]   # Accessible to sales and app owners
                - marketing_view:
                    roles: [marketing] # Accessible to marketing and app owners
                - customer_view:
                    roles: [sales,marketing] # Accessible to sales, marketing, and app owners
                - operations_view:
                    roles: [operations] # Accessible to operations and app owners
Copy

稍后,当使用者安装应用程序时,他们将可以访问笔记本、表和视图。

为了与支持团队共享操作视图,他们将 operations 应用程序角色授予其支持团队组织角色。

GRANT APPLICATION ROLE customer_app.operations TO ROLE support_team_west;
Copy

拥有 support_team_west 角色的使用者团队成员可以查看 logs 表,但无法在 Snowsight 的 Available Notebooks 选项卡中查看笔记本,也无法访问 salescustomers 表和视图。

为了与销售团队共享销售视图,他们将 sales 应用程序角色授予其销售组织角色。

GRANT APPLICATION ROLE customer_app.sales TO ROLE sales_team_east;
Copy

拥有 sales_team_east 角色的使用者团队成员可以在 Snowsight 的 Available Notebooks 选项卡中查看笔记本。他们无法查看 logs 表,但可以访问 salescustomers 表和视图。

For more information about how consumers share roles, see 共享应用程序访问权限.

语言: 中文