Dynamic Data Mapping

When creating Authorization Policies to control row-level access for data, an Asset Type representing the physical structure of the table is used. It is common that row-level controls are defined for a vast amount of tables that in reality share the same logical structure as well as required controls defined in the Policy.

The dynamic mapping capability enables representation of multiple tables that share a logical structure resemblance to a single Asset Type. In addition, a single Policy is created to apply row-level controls. This Policy supports and optimizes centralized management and ensures consistency.

To create dynamic mapping, you simply need to set which tables are represented by this Asset Type and, optionally, map the Attribute if a different naming convention is in the column name. The Policy Decision Point will dynamically insert the values in the authorization response that match the set of tables sent in the request to provide specific instructions for query modification.

Defining Data Mapping

Assuming that each of these physical tables shares a common structure for the columns that are used for row-level access controls, you can map the list of tables to be used by a single Asset Type. As an example, you can use dynamic data mapping if your organization has multiple tables (Projects, Products, Customers), and row-level controls are based on the same column (department) available in all tables.

Additionally, the Platform can map the column values to Attributes dynamically, if different column names are in use to represent the same data. As an example, if your organization has multiple tables that refer to the same data referenced by columns with different names (Dept, Department, Division, etc.), these columns can be dynamically mapped at the Attribute level.

Set the Data Mapping

Data mapping can only be set for Asset Types when the Asset Type is used for data filtering? field was set to Yes.

• Set the list of tables that are represented by the Asset Type.

• If the same column name is used in all tables, make sure that the Attribute Name matches the column name.

• If the columns in multiple tables use different column names for the same data (example: Dept, Department, Division, etc.), map the exact column names of each of the relevant tables to each Attribute.

The Policy Decision Point dynamically inserts the mapped values in the authorization response

Set Table Mapping

Set Column Mapping

Using Data Mapping in the PDP

To dynamically calculate the data mapping, the list of tables must be sent as an array within the resourceFullPath parameter in the authorization request under environment.

If a match between the table sent in the request and the Asset Type is found, the resourceType is replaced in the fully qualified table name and the attribute will be replaced by the column name in the authorization response.

If no match is found, or a list of tables was not sent, it is considered as if the mapping was not set. In this case, the Asset Template ID as well as the Attribute Name will be returned in the authorization response.

To learn more about the PDP Policy Resolution endpoint, see the PlainID Developer's Portal.

Note:

Using Dynamic Data Mapping is currently supported using the Policy Resolution API. Also note, this is currently supported by the PlainID Authorizers: Denodo.