VPA Restrictions and Custom Data Access

The core provides additional API methods and binding expressions to allow application developers to customize how VPA restrictions are applied. Application developers must use the VPA programming guidelines described below when programming any data access code in Java or when creating custom SQL in the AXVW.

For an overview of VPA, see Application-Level Virtual Private ARCHIBUS

Implementing Custom Business Logic

When you implement custom business logic in Java, the standard ARCHIBUS APIs apply the VPA according to these rules:

The DataSource API by default applies the VPA to all operations that read the data from the database, unless:

If the applyVpaRestrictions property is set to false, the DataSource API does not use the VPA for any data reads, whether or not custom SQL is used.

The SqlUtils API does not apply the VPA.
The FieldFormula and FieldOperation APIs do not apply the VPA.

You usually do not need to use the VPA in workflow rules implementing custom business logic. For example:

A user triggers a workflow rule that calculates average sqft/employee for the entire company. The calculation accesses all of the rooms data company wide, even though that particular user does not have access to all of the rooms data. The user will see the aggregated result – the sqft/employee figure – but will still never see the detail data.
A user triggers a workflow rule that approves a project. The workflow rule may update an associated capital budget to which the user does not have access. The user never sees the capital budget, but the workflow rule still keeps the data in synch.

When developing custom business logic, you need to make a decision: to which category this Java code belongs:

Situation	Action
Producing raw data to be presented in a form or grid	Apply the VPA.
Producing aggregated data	Typically, you do not need to apply the VPA.
Implementing a workflow process	Typically, you do not apply the VPA. Exception: when the workflow rule should be executed only on the data that the current user can access

To disable the VPA in an AXVW datasource, use the applyVpaRestrictions attribute:

<dataSource id="ds0" applyVpaRestrictions="false">

When writing custom SQL queries in the AXVW datasource, the default VPA restriction may be disabled using the applyVpaRestrictions attribute and the restriction added to the custom SQL query directly using ${sql.vpaRestriction}:

<dataSource id="ds0" applyVpaRestrictions="false"> <sql dialect="generic">SELECT rm_id FROM rm WHERE ${sql.vpaRestriction}</sql> ....

Examples of VPA programming in the AXVW can be found in ab-ex-report-grid-sql-vpa.axvw

To customize default VPA restrictions when executing a custom SQL query:

Disable default VPA restrictions for this DataSource:

DataSource ds = …// do not apply the VPA restrictions
ds.setApplyVpaRestrictions(false);

Add the VPA expression to the custom SQL query:

// use the VPA expression in the custom SQL query// if the current user/role has no VPA, the expression will be resolved as (1=1)
String customSql = “SELECT COUNT(*) … FROM … WHERE … AND (${sql.vpaRestriction})”;
ds.addQuery(customSql);

To customize default VPA restrictions when executing a custom SQL query defined in the AXVW:

Disable default VPA restrictions for this DataSource:

<dataSource id="ds0" applyVpaRestrictions="false">

Add the VPA expression to the custom SQL query:

// use the VPA expression in the custom SQL query// if the current user/role has no VPA, the expression will be resolved as (1=1) <sql dialect="generic">SELECT COUNT(*) … FROM … WHERE … AND (${sql.vpaRestriction})</sql>

Further examples of VPA programming in the AXVW are found in the following view:

http://localhost:8080/archibus/schema/ab-products/solutions/parts/grid/ab-ex-report-grid-sql-vpa.axvw