mscmp_syst_mcp_perms.ms

get_applied_network_rule(p_host_addr inet, p_instance_id uuid DEFAULT NULL::uuid, p_instance_owner_id uuid DEFAULT NULL::uuid)

Description

Applies all of the applicable network rules for a host and returns the governing record for the identified host.

The returned rule is chosen by identifying which rules apply to the host based on the provided Instance related parameters and then limiting the return to the rule with the highest precedence. Currently the precedence is defined as:

Disallowed Hosts: Globally disallowed or “banned” hosts are always checked first and no later rule can override the denial. Only removing the host from the syst_disallowed_hosts table can reverse this denial.
Global Rules: These are rules applied to all Instances without exception.
Instance Rules: Rules defined by Instance Owners and are the most granular rule level available (p_instance_id).
Instance Owner Rules: Applied to all Instances owned by the identified Owner (p_instance_owner_id).
Global Implied Default Rule: When no explicitly defined network has been found for a host this rule will apply implicitly. The current rule grants access from any host.

Parameters

p_host_addr :: Required? True; Default: ( No Default )

The host IP address for which to retrieve a network rule to apply.
p_instance_id :: Required? False; Default: NULL

The record id of the Instance that the host is attempting to access.

Note that NULL is a valid value subject to the conditions in the function description.
p_instance_owner_id :: Required? False; Default: NULL

The record id value of the Owner record which owns the Instance.

Note that NULL is a valid value subject to the conditions in the function description.

General Usage

This function returns the best matching rule for the provided parameters. This means that when p_host_addr is provided but neither of p_instance_id or p_instance_owner_id are provided, the host can only be evaluated against the Disallowed Hosts and the Global Network Rules which isn’t sufficient for a complete validation of a host’s access to an Instance; such incomplete checks can be useful to avoid more expensive authentication processes later if the host is just going to be denied access due to global network rules.

Providing only p_instance_owner_id will include the Global and Owner defined rules, but not the Instance specific rules. If p_instance_id is provided that is sufficient that is sufficient for testing all the applicable rules since the Instance Owner ID can be derived using just p_instance_id parameter.

Parameters

Search:

Name	Type	Mode
p_host_addr	inet	IN
p_instance_id	uuid	IN
p_instance_owner_id	uuid	IN
precedence	text	TABLE
network_rule_id	uuid	TABLE
functional_type	text	TABLE
ip_host_or_network	inet	TABLE
ip_host_range_lower	inet	TABLE
ip_host_range_upper	inet	TABLE

Showing 1 to 9 of 9 entries

Definition

​x
 
-- File:        get_applied_network_rule.eex.sql
-- Location:    musebms/database/components/system/mscmp_syst_authn/ms_syst/functions/get_applied_network_rule.eex.sql
-- Project:     Muse Systems Business Management System
--
-- Copyright © Lima Buttgereit Holdings LLC d/b/a Muse Systems
-- This file may include content copyrighted and licensed from third parties.
--
-- See the LICENSE file in the project root for license terms and conditions.
-- See the NOTICE file in the project root for copyright ownership information.
--
-- muse.information@musesystems.com :: https://muse.systems
​
    SELECT
        precedence
      , network_rule_id
      , functional_type
      , ip_host_or_network
      , ip_host_range_lower
      , ip_host_range_upper
    FROM
        ms_syst_priv.get_applied_network_rule(
              p_host_addr         => p_host_addr
            , p_instance_id       => p_instance_id
            , p_instance_owner_id => p_instance_owner_id);