Overview

Namespaces are containers for array data.  The Security Model Overview compares namespaces with Linux directories, and describes how to access arrays in namespaces using qualified and unqualified array names.  This section summarizes the AFL operators that manipulate namespaces, and describes how to grant access rights to namespaces and their contents.

Namespace Operators

This table summarizes the AFL operators that manipulate namespaces.

Granting Namespace Access

Only the scidbadmin user account or a member of the admin or operator role can create new namespaces.  Newly created namespaces are empty and cannot be accessed by ordinary user accounts.  To allow access, choose an existing role or create a new one, and set the role's permissions for the new namespace.

Namespace Permission Strings

The set_role_permissions operator links a role to a namespace, specifying which access rights members of the role will have for that namespace.  Access rights are encoded as strings of the single-character codes in the table below.

Example

The example below creates a new namespace samples and two roles, uploader and analyst.  Users in role uploader can create, list, and update arrays in the samples namespace.  Users in role analyst can list and read array data in the samples namespace, but can neither add new array data, nor alter or delete existing data.

AFL% show_user();
{i} name
{0} 'scidbadmin'
AFL% 
AFL% create_namespace(samples);
Query was executed successfully
AFL%
AFL% create_role('uploader');
Query was executed successfully
AFL%
AFL% create_role('analyst');
Query was executed successfully
AFL%
AFL% -- Without quotes, the operator knows "samples" is a namespace. ;
AFL% set_role_permissions('uploader', samples, 'clu');
Query was executed successfully
AFL%
AFL% -- Here we use the more generic string literal form. ;
AFL% set_role_permissions('analyst', 'namespace', 'samples', 'rl');
Query was executed successfully
AFL% 
AFL% show_role_permissions('analyst');
{i} entity,name,permissions
{0} 'namespace','samples','lr'
AFL% show_role_permissions('uploader');
{i} entity,name,permissions
{0} 'namespace','samples','clu'
AFL%

The last step is to add members to the uploader and analyst roles:

AFL% add_user_to_role('data-generator-5000', 'uploader');
Query was executed successfully
AFL% add_user_to_role('betty', 'analyst');
Query was executed successfully
AFL% 

Revoking Namespace Access

There are two ways to revoke access to a namespace.  You can reduce the permissions that a role has for the namespace, or you can remove a user account from membership in roles that have access to the namespace.

Reducing Role Permissions

Here, the database administrator has decided that the uploader role is too permissive.  Really, automated uploads from the Data Generator 5000 lab instrument only need to create new arrays with timestamps in their names.  There is no need to list or update existing arrays.  The administrator can reduce the permissions held by the uploader role to just c, the create permission:

AFL% show_role_permissions('uploader');
{i} entity,name,permissions
{0} 'namespace','samples','clu'
AFL%
AFL% -- 'ns' is an acceptable shorthand for 'namespace' here ; 
AFL% set_role_permissions('uploader', 'ns', 'samples', 'c');
Query was executed successfully
AFL%
AFL% show_role_permissions('uploader');
{i} entity,name,permissions
{0} 'namespace','samples','c'
AFL% 

Dropping User Accounts from Roles

In this example, user betty needed temporary access to the samples namespace to debug a problem, and now that the problem is solved she should no longer have access to the data in samples.  Here she is removed from the analyst role.

AFL% show_roles_for_user('betty');
{No} role,id
{0} 'betty',429
{1} 'analyst',435
{2} 'developer',439
AFL%
AFL% drop_user_from_role('betty', 'analyst');
Query was executed successfully
AFL%
AFL% show_roles_for_user('betty');
{No} role,id
{0} 'betty',429
{1} 'developer',439
AFL% 

See also:

Enabling Security Mode