From ffa2f2a5fd89a4fdafc69bcdc92d4c4bd4347eb5 Mon Sep 17 00:00:00 2001
From: Daniel Quathamer <danielq@memtext.de>
Date: Thu, 31 Oct 2024 15:06:58 +0100
Subject: [PATCH] =?UTF-8?q?Leserecht=20f=C3=BCr=20einzelne=20Tabellen=20in?=
 =?UTF-8?q?=20HISRM=20#5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../fin_unload_tabellen_mbs_grant.sql         | 46 +++++++++++++
 module/fin/hisrm_dbrechte_beispiel/readme.txt |  5 ++
 .../ivs_unload_tabellen_mbs_grant.sql         | 18 +++++
 .../sva_unload_tabellen_sva4_grant.sql        | 68 +++++++++++++++++++
 4 files changed, 137 insertions(+)
 create mode 100644 module/fin/hisrm_dbrechte_beispiel/fin_unload_tabellen_mbs_grant.sql
 create mode 100644 module/fin/hisrm_dbrechte_beispiel/readme.txt
 create mode 100644 module/ivs/hisrm_dbrechte_beispiel/ivs_unload_tabellen_mbs_grant.sql
 create mode 100644 module/sva/hisrm_dbrechte_beispiel/sva_unload_tabellen_sva4_grant.sql

diff --git a/module/fin/hisrm_dbrechte_beispiel/fin_unload_tabellen_mbs_grant.sql b/module/fin/hisrm_dbrechte_beispiel/fin_unload_tabellen_mbs_grant.sql
new file mode 100644
index 0000000..3249334
--- /dev/null
+++ b/module/fin/hisrm_dbrechte_beispiel/fin_unload_tabellen_mbs_grant.sql
@@ -0,0 +1,46 @@
+create user biuser;
+
+alter USER biuser WITH   NOSUPERUSER PASSWORD 'anfang13';
+GRANT usage ON SCHEMA mbs TO biuser;
+
+GRANT SELECT ON TABLE mbs.bga_to_mbs TO biuser;
+GRANT SELECT ON TABLE mbs.db_sachbearbeiter TO biuser;
+GRANT SELECT ON TABLE mbs.db_version TO biuser;
+GRANT SELECT ON TABLE mbs.dokumente TO biuser;
+GRANT SELECT ON TABLE mbs.fb TO biuser;
+GRANT SELECT ON TABLE mbs.fbdr TO biuser;
+GRANT SELECT ON TABLE mbs.fibu_auswertung_art TO biuser;
+GRANT SELECT ON TABLE mbs.fibu_auswertung_definition TO biuser;
+GRANT SELECT ON TABLE mbs.fibu_auswertung_konten_zuordnung TO biuser;
+GRANT SELECT ON TABLE mbs.fibu_journal TO biuser;
+GRANT SELECT ON TABLE mbs.fibu_kontenstand TO biuser;
+GRANT SELECT ON TABLE mbs.fibu_konten TO biuser;
+GRANT SELECT ON TABLE mbs.fikr TO biuser;
+GRANT SELECT ON TABLE mbs.fins TO biuser;
+GRANT SELECT ON TABLE mbs.gege TO biuser;
+GRANT SELECT ON TABLE mbs.huel TO biuser;
+GRANT SELECT ON TABLE mbs.imp_busa TO biuser;
+GRANT SELECT ON TABLE mbs.ins TO biuser;
+GRANT SELECT ON TABLE mbs.ins2 TO biuser;
+GRANT SELECT ON TABLE mbs.ins3 TO biuser;
+GRANT SELECT ON TABLE mbs.insdr TO biuser;
+GRANT SELECT ON TABLE mbs.insdr2 TO biuser;
+GRANT SELECT ON TABLE mbs.insdr3 TO biuser;
+GRANT SELECT ON TABLE mbs.inst TO biuser;
+GRANT SELECT ON TABLE mbs.kap TO biuser;
+GRANT SELECT ON TABLE mbs.k_bga TO biuser;
+GRANT SELECT ON TABLE mbs.k_sollbuschl TO biuser;
+GRANT SELECT ON TABLE mbs.k_syf TO biuser;
+GRANT SELECT ON TABLE mbs.mwst_betraege TO biuser;
+GRANT SELECT ON TABLE mbs.prge TO biuser;
+GRANT SELECT ON TABLE mbs.proj TO biuser;
+GRANT SELECT ON TABLE mbs.proj_to_inst TO biuser;
+GRANT SELECT ON TABLE mbs.r_belongsto TO biuser;
+GRANT SELECT ON TABLE mbs.r_dokumente TO biuser;
+GRANT SELECT ON TABLE mbs.sys TO biuser;
+GRANT SELECT ON TABLE mbs.titdr TO biuser;
+GRANT SELECT ON TABLE mbs.tit TO biuser;
+GRANT SELECT ON TABLE mbs.ut TO biuser;
+GRANT SELECT ON TABLE mbs.zp TO biuser;
+GRANT SELECT ON TABLE mbs.zst_kapitel TO biuser;
+GRANT SELECT ON TABLE mbs.zst_sonderbuchst TO biuser;
diff --git a/module/fin/hisrm_dbrechte_beispiel/readme.txt b/module/fin/hisrm_dbrechte_beispiel/readme.txt
new file mode 100644
index 0000000..fd00445
--- /dev/null
+++ b/module/fin/hisrm_dbrechte_beispiel/readme.txt
@@ -0,0 +1,5 @@
+Postgres-Lesrechte vergeben
+
+Stichwort Risikominimierung: SuperX benötigt zwar Zugriff auf Vorsysteme, aber keinen Vollzugriff. Ein Leserecht für die jeweils benötigten Tabellen reicht aus.
+
+Das beigefügte Script gibt Lesereche im Vorsystem für die Tabellen bzw. Objekte, die SuperX zum Entladen benötigt. Sie können diese Scripte anpassen und nach Ausführung in der JDBC-Quelle für SuperX / BI angeben (databases.xml bzw. db-hisrm.properties).
diff --git a/module/ivs/hisrm_dbrechte_beispiel/ivs_unload_tabellen_mbs_grant.sql b/module/ivs/hisrm_dbrechte_beispiel/ivs_unload_tabellen_mbs_grant.sql
new file mode 100644
index 0000000..c2684b2
--- /dev/null
+++ b/module/ivs/hisrm_dbrechte_beispiel/ivs_unload_tabellen_mbs_grant.sql
@@ -0,0 +1,18 @@
+
+--Beipsielscript um die Tabellen für eine Beispielkennnung "biuser"
+--lesbar zu machen, die im SuperX-IVS-Modul benötigt werden:
+GRANT SELECT ON TABLE mbs.akl_bw TO biuser;
+GRANT SELECT ON TABLE mbs.erwb TO biuser;
+GRANT SELECT ON TABLE mbs.gege TO biuser;
+GRANT SELECT ON TABLE mbs.geb TO biuser;
+GRANT SELECT ON TABLE mbs.fikr TO biuser;
+GRANT SELECT ON TABLE mbs.proj TO biuser;
+GRANT SELECT ON TABLE mbs.zp TO biuser;
+GRANT SELECT ON TABLE mbs.ivasp TO biuser;
+GRANT SELECT ON TABLE mbs.ivasp_bga TO biuser;
+GRANT SELECT ON TABLE mbs.ivsplit TO biuser;
+GRANT SELECT ON TABLE mbs.ivst TO biuser;
+GRANT SELECT ON TABLE mbs.stamm TO biuser;
+GRANT SELECT ON TABLE mbs.inst TO biuser;
+GRANT SELECT ON TABLE mbs.klas TO biuser;
+
diff --git a/module/sva/hisrm_dbrechte_beispiel/sva_unload_tabellen_sva4_grant.sql b/module/sva/hisrm_dbrechte_beispiel/sva_unload_tabellen_sva4_grant.sql
new file mode 100644
index 0000000..1ca847b
--- /dev/null
+++ b/module/sva/hisrm_dbrechte_beispiel/sva_unload_tabellen_sva4_grant.sql
@@ -0,0 +1,68 @@
+GRANT usage ON SCHEMA sva4 TO biuser;
+grant create on schema sva4 to biuser;
+
+GRANT SELECT ON TABLE sva4.db_version TO biuser;
+GRANT SELECT ON TABLE sva4.fb TO biuser;
+GRANT SELECT ON TABLE sva4.gege TO biuser;
+GRANT SELECT ON TABLE sva4.ins TO biuser;
+GRANT SELECT ON TABLE sva4.inst TO biuser;
+GRANT SELECT ON TABLE sva4.inst_to_ext TO biuser;
+GRANT SELECT ON TABLE sva4.k_aenderungsgrd TO biuser;
+GRANT SELECT ON TABLE sva4.k_amtsdienstbez TO biuser;
+GRANT SELECT ON TABLE sva4.k_anredetitel TO biuser;
+GRANT SELECT ON TABLE sva4.k_art_zeit TO biuser;
+GRANT SELECT ON TABLE sva4.k_ausscheidegrund TO biuser;
+GRANT SELECT ON TABLE sva4.k_befristetgrund TO biuser;
+GRANT SELECT ON TABLE sva4.k_beurlaubart TO biuser;
+GRANT SELECT ON TABLE sva4.k_bvlgruppe TO biuser;
+GRANT SELECT ON TABLE sva4.k_dienstart TO biuser;
+GRANT SELECT ON TABLE sva4.k_fachgebiet TO biuser;
+GRANT SELECT ON TABLE sva4.k_funktionsart TO biuser;
+GRANT SELECT ON TABLE sva4.k_haushaltsverm TO biuser;
+GRANT SELECT ON TABLE sva4.k_hochschule TO biuser;
+GRANT SELECT ON TABLE sva4.k_kalkwert TO biuser;
+GRANT SELECT ON TABLE sva4.k_laufbahn TO biuser;
+GRANT SELECT ON TABLE sva4.k_lehreinh TO biuser;
+GRANT SELECT ON TABLE sva4.k_minderungsgrd TO biuser;
+GRANT SELECT ON TABLE sva4.k_pbeart TO biuser;
+GRANT SELECT ON TABLE sva4.k_pbekennzeichen TO biuser;
+GRANT SELECT ON TABLE sva4.k_persattribut TO biuser;
+GRANT SELECT ON TABLE sva4.k_pfaart TO biuser;
+GRANT SELECT ON TABLE sva4.k_pfi_art TO biuser;
+GRANT SELECT ON TABLE sva4.k_pgd_kategorie TO biuser;
+GRANT SELECT ON TABLE sva4.k_rechtsstell TO biuser;
+GRANT SELECT ON TABLE sva4.k_sgd_kategorie TO biuser;
+GRANT SELECT ON TABLE sva4.k_sis_wert TO biuser;
+GRANT SELECT ON TABLE sva4.k_staat TO biuser;
+GRANT SELECT ON TABLE sva4.k_studienbereich TO biuser;
+GRANT SELECT ON TABLE sva4.k_teilzeitart TO biuser;
+GRANT SELECT ON TABLE sva4.k_vertragsart TO biuser;
+GRANT SELECT ON TABLE sva4.k_vorquali_berufung TO biuser;
+GRANT SELECT ON TABLE sva4.out_cob_pbv TO biuser;
+GRANT SELECT ON TABLE sva4.pat TO biuser;
+GRANT SELECT ON TABLE sva4.paz TO biuser;
+GRANT SELECT ON TABLE sva4.pbe TO biuser;
+GRANT SELECT ON TABLE sva4.pbl TO biuser;
+GRANT SELECT ON TABLE sva4.pbu TO biuser;
+GRANT SELECT ON TABLE sva4.pbv TO biuser;
+GRANT SELECT ON TABLE sva4.pbv_to_pbz TO biuser;
+GRANT SELECT ON TABLE sva4.pbz TO biuser;
+GRANT SELECT ON TABLE sva4.pbz_betraege TO biuser;
+GRANT SELECT ON TABLE sva4.pdp TO biuser;
+GRANT SELECT ON TABLE sva4.pfa TO biuser;
+GRANT SELECT ON TABLE sva4.pfi TO biuser;
+GRANT SELECT ON TABLE sva4.pgd TO biuser;
+
+GRANT SELECT ON TABLE sva4.pmi TO biuser;
+GRANT SELECT ON TABLE sva4.proj TO biuser;
+GRANT SELECT ON TABLE sva4.sbu TO biuser;
+GRANT SELECT ON TABLE sva4.sgd TO biuser;
+GRANT SELECT ON TABLE sva4.shv TO biuser;
+GRANT SELECT ON TABLE sva4.soe TO biuser;
+GRANT SELECT ON TABLE sva4.swe TO biuser;
+
+--die folgende Tabelle ist nur für SuperX in SVA angelegt worden
+--sie dient zum (optionalen) Peudonymisieren,
+--daher Vorllzugriff:
+GRANT ALL ON TABLE sva4.pgd_join_id_ldsg TO biuser;
+GRANT UPDATE ON SEQUENCE sva4.pgd_join_id_ldsg_pgd_join_id_ldsg_seq TO biuser;