Data Access Authorization Pattern

With the Data Access Authorization Pattern, PlainID Authorizers dynamically enforce access to data. Data Access Authorizers, help you seamlessly integrate your existing Data Gateways, Data Access Layers and Data Services with PlainID’s dynamic authorization calculation.
This integration enables you to define fine-grained authorization policies, and enforce access rules both on records access and for masking of properties.

Data Access Authorizers usually leverage PlainID’s PDP Policy Resolution to get calculated access for records and properties and enforce the data access by applying this resolution.
The Data Access Authorizers assist with enforcement at the data level in one of the following ways:

• Intercept data queries and apply dynamically calculated filters on them
• Apply filtering of records and properties after data was already fetched from a data service
• Guide a data service for the required enforcement by enriching its service request with the policy resolution

With query modification or data filtering the data services are seamlessly integrated with dynamic authorization and users will get only permitted data according to identity context, data policies and masking instructions, allowing to tighten your data regulation and yet keep them robust and dynamic.

About Query Modification

The PlainID Data Access Authorizer is integrated into your data solution or data layer with one of the supported technologies.

1. The Authorizer intercepts your application's data queries and sends them for evaluation and modification.
2. Our Data Access proxy parses the query and forms an authorization access decision and requests the PlainID PDP for data access evaluation.
3. PDP, using predefined data policies and data mapping, calculate the fine grained access decision and send a policy resolution response to the data proxy.
4. Data proxy uses the policy resolution response that includes instructions on filtering and masking and modifies the original data query to include the applicable filters (both in Where clause and Select clause)
5. Modified query is returned to the Authorizer, executed in the underlying database or data solution and only permitted data is served back to the requesting user.

Current Query Modification Authorizers include:

• Denodo
• Google Big Query
• Trino
• MS .Net Applications using entity framework (ORM)
• Java Spring Boot Applications using Hibernate (ORM)
• Direct Data Authorization using PlainID’s SQL DB Authorizer for MSSQL and PostgreSQL DBs

Two additional data enforcement pattern are possible by integrating Authorizers to your data service:

• Filtering data service responses - PlainID Authorizer will process your data service response, after data was fetched from data sources. This processing will include filtering our records objects and/or mask object properties.

  Currently available with PlainID JSON Masking Authorizer (beta)
  
  

• Enriching data service request - PlainID Authorizer will enrich your data service request with headers containing instructions for the required data filtering and your service will enforce these instructions as part of its logic.

  Currently available with PlainID Istio Authorizer

Data Policy Authoring and Data Mapper Usage

To assist with policy authoring designed for data access management, PlainID allows to set up Asset Types used for data filtering. In addition, policies can be defined using a combination of asset types representing row level and column level access rules and use the relation derived from the policy to make accurate data access enforcement.

Together with these capabilities Data Mappers can also be leveraged to smartly map your physical data ecosystem to the logical business representation on which you will manage your policies centrally.