Overview

Namespaces are containers for array data. The Security Model Overview compares namespaces with Linux directories, and describes how to access arrays in namespaces using qualified and unqualified array names. This section summarizes the AFL operators that manipulate namespaces, and describes how to grant access rights to namespaces and their contents.

Namespace Operators

This table summarizes the AFL operators that manipulate namespaces.

Operator	Description
list('namespaces')	List all namespaces in the database.
create_namespace	Create a new namespace.
drop_namespace	Remove a namespace.
set_namespace	Set current working namespace.
show_namespace	Show current working namespace.
move_array_to_namespace	Move an array to a different namespace.

Granting Namespace Access

Only the scidbadmin user account or a member of the admin or operator role can create new namespaces. Newly created namespaces are empty and cannot be accessed by ordinary user accounts. To allow access, choose an existing role or create a new one, and set the role's permissions for the new namespace.

Namespace Permission Strings

The set_role_permissions operator links a role to a namespace, specifying which access rights members of the role will have for that namespace. Access rights are encoded as strings of the single-character codes in the table below.

Code	Permission	Remarks
c	create	Role members can create arrays in the namespace.
r	read	Role members can read array data in the namespace.
l (ell)	list	Role members can list the arrays contained in the namespace.
u	update	Role members can update pre-existing arrays in the namespace.
d	delete	Role members can remove arrays in the namespace.

Example

The example below creates a new namespace samples and two roles, uploader and analyst. Users in role uploader can create, list, and update arrays in the samples namespace. Users in role analyst can list and read array data in the samples namespace, but can neither add new array data, nor alter or delete existing data.

AFL% show_user();
{i} name
{0} 'scidbadmin'
AFL% 
AFL% create_namespace(samples);
Query was executed successfully
AFL%
AFL% create_role('uploader');
Query was executed successfully
AFL%
AFL% create_role('analyst');
Query was executed successfully
AFL%
AFL% -- Without quotes, the operator knows "samples" is a namespace. ;
AFL% set_role_permissions('uploader', samples, 'clu');
Query was executed successfully
AFL%
AFL% -- Here we use the more generic string literal form. ;
AFL% set_role_permissions('analyst', 'namespace', 'samples', 'rl');
Query was executed successfully
AFL% 
AFL% show_role_permissions('analyst');
{i} entity,name,permissions
{0} 'namespace','samples','lr'
AFL% show_role_permissions('uploader');
{i} entity,name,permissions
{0} 'namespace','samples','clu'
AFL%

The last step is to add members to the uploader and analyst roles:

AFL% add_user_to_role('data-generator-5000', 'uploader');
Query was executed successfully
AFL% add_user_to_role('betty', 'analyst');
Query was executed successfully
AFL%

Revoking Namespace Access

There are two ways to revoke access to a namespace. You can reduce the permissions that a role has for the namespace, or you can remove a user account from membership in roles that have access to the namespace.

Reducing Role Permissions

Here, the database administrator has decided that the uploader role is too permissive. Really, automated uploads from the Data Generator 5000 lab instrument only need to create new arrays with timestamps in their names. There is no need to list or update existing arrays. The administrator can reduce the permissions held by the uploader role to just c, the create permission:

AFL% show_role_permissions('uploader');
{i} entity,name,permissions
{0} 'namespace','samples','clu'
AFL%
AFL% -- 'ns' is an acceptable shorthand for 'namespace' here ; 
AFL% set_role_permissions('uploader', 'ns', 'samples', 'c');
Query was executed successfully
AFL%
AFL% show_role_permissions('uploader');
{i} entity,name,permissions
{0} 'namespace','samples','c'
AFL%

Dropping User Accounts from Roles

In this example, user betty needed temporary access to the samples namespace to debug a problem, and now that the problem is solved she should no longer have access to the data in samples. Here she is removed from the analyst role.

AFL% show_roles_for_user('betty');
{No} role,id
{0} 'betty',429
{1} 'analyst',435
{2} 'developer',439
AFL%
AFL% drop_user_from_role('betty', 'analyst');
Query was executed successfully
AFL%
AFL% show_roles_for_user('betty');
{No} role,id
{0} 'betty',429
{1} 'developer',439
AFL%

See also:

Enabling Security Mode

Browser not supported