mmx metadata framework
...the DNA of your data
MMX metadata framework is a lightweight implementation of OMG Metadata Object Facility built on relational database technology. MMX framework
is based on three general concepts:
Metamodel | MMX Metamodel provides a storage mechanism for various knowledge models. The data model underlying the metadata framework is more abstract in nature than metadata models in general. The model consists of only a few abstract entities... see more.
Access layer | Object oriented methods can be exploited using inheritance to derive the whole data access layer from a small set of primitives created in SQL. MMX Metadata Framework provides several diverse methods of data access to fulfill different requirements... see more.
Generic transformation | A large part of relationships between different objects in metadata model are too complex to be described through simple static relations. Instead, universal data transformation concept is put to use enabling definition of transformations, mappings and transitions of any complexity... see more.

MMX Access Control: RBAC API

July 18, 2009 21:32 by mmx

MMX Framework has built-in Access Control support as part of its Core Metamodel (http://mmxframework.org/post/2009/06/30/Access-Control-Implementation-in-MMX-Framework.aspx) based on RBAC System and Administrative Functional Specification (see ANSI INCITS 359-2004, Role Based Access Control). As stated in this document, "The RBAC Functional specification specifies administrative operations for the creation and maintenance of RBAC element sets and relations; administrative review functions for performing administrative queries; and system functions for creating and managing RBAC attributes on user sessions and making access control decisions."

The following set of functions is defined on Core/Hierarchical RBAC level. 

Administrative Commands (see Note 1):

AddUser(user)
DeleteUser(user)
AddRole(role)
DeleteRole(role)
AssignUser(user, role)
DeassignUser(user, role)
GrantPermission(object, operation, role)
RevokePermission(operation, object, role)
AddInheritance(r_asc, r_desc)
DeleteInheritance(r_asc, r_desc)
AddAscendant(r_asc, r_desc)
AddDescendant(r_asc, r_desc)

System Functions (see Note 2):

CreateSession(user, session)
DeleteSession(user, session)
AddActiveRole(user, session, role)
DropActiveRole(user, session, role)
CheckAccess(session, operation, object): BOOLEAN

Review Functions:

AuthorizedUsers(role): USERS
AuthorizedRoles(user): ROLES
RolePermissions(role): PERMS
UserPermissions(user): PERMS
RoleOperationsOnObject(role, obj): OPS
UserOperationsOnObject(user, obj): OPS
SessionRoles(session): ROLES (see Note 2)
SessionPermissions(session): PERMS (see Note 2)

MMX Framework RBAC API implements AuthorizedUsers, AuthorizedRoles, RolePermissions, UserPermissions, RoleOperationsOnObject and UserOperationsOnObject as Table Functions receiving MMX object identifiers of a proper type as parameter(s) and returning tables (rowsets) as values. Oracle implementation is contained in package MMXAC.

An additional function, object_types(obj) that is not part of the RBAC Functional Specification converts an RBAC object into a list of MMX object types (classes) denoted by a single RBAC object identifying an MMX object type or object type hierarchy. 

Note 1: The functionality of Administrative Commands is provided by MMX Administrative UI application (eg. MMX Metadata Navigator).

Note 2: RBAC Sessions are temporary in nature and are not supported by MMX Framework.  

Here's the implementation details on Oracle platform (package header) for the record: 

FUNCTION authorized_users (role_id IN MD_OBJECT.object_id%TYPE)
RETURN user_table PIPELINED;

FUNCTION authorized_roles (user_id IN MD_OBJECT.object_id%TYPE)
RETURN role_table PIPELINED;

FUNCTION role_permissions (role_id IN MD_OBJECT.object_id%TYPE)
RETURN perm_table PIPELINED;

FUNCTION user_permissions (user_id IN MD_OBJECT.object_id%TYPE)
RETURN perm_table PIPELINED;

FUNCTION role_operations_on_object (role_id IN MD_OBJECT.object_id%TYPE, obj_id IN MD_OBJECT.object_id%TYPE)
RETURN op_table PIPELINED;

FUNCTION user_operations_on_object (user_id IN MD_OBJECT.object_id%TYPE, obj_id IN MD_OBJECT.object_id%TYPE)
RETURN op_table PIPELINED;

Note 3. authorized_users, authorized_roles, role_permissions and user_permissions without parameter return the full list of their respective RBAC class instances.


 



Access Layer

September 29, 2008 15:20 by marx
MMX Metadata Frameworks is built on relational database technology. However, as a large part of the structure of the meta-metadata is hidden from the relational model Structured Query Language (SQL) is not the best method for general data access as the queries in SQL would be too complicated and repetitive to write. Instead, object oriented methods can be exploited using inheritance to derive the whole data access layer from a small set of primitives created in SQL. Modern automatic object environments (Persistency Layers, Object-Relational Mappers etc.) can be taken advantage of here.

MMX Metadata Framework provides several diverse methods of data access to fulfill different requirements:
 
  • Object-Relational Mapper: provides .NET and Web Service (SOA) interfaces (nHibernate). This would cover application programs, web applications and external clients;
  • RDF API: provides XML/HTTP interface for applications. Typically this would include various Semantic Web applications or services;
  • Database CRUD API: provides standard SQL interface for applications requiring database level functionality. This would typically include data transformation jobs, maintenance tasks, query tools etc.