Contents x
      Managing Data Authorizers
      • 15 Aug 2023
      • 3 Minutes to read
      • Print
      • Dark
        Light
      • PDF
      Contents

      Managing Data Authorizers

      • Updated on 15 Aug 2023
      • 3 Minutes to read
      • Print
      • Dark
        Light
      • PDF
      Article Summary

      From the Data Authorizers tab in the Environment Settings screen, you can view the list of available Data Authorizers currently defined in the Authorization Platform. You can also:

      • Create a new Data Authorizer
      • Viewing and Editing Data Authorizer Details
      • Download an Authorizer deployment package
      • Delete an Authorizer
      • Each time you create a new Data Authorizer, it is assigned a unique Authorizer ID. You can edit existing Authorizers to change its Vendor, Name and/or Description. You cannot change the vendor of an Authorizer once you have created it.

      Create a new Data Authorizer

      1. Open the Environment Settings screen by clicking the Environment's three vertical dots and selecting Settings.
      2. Select the Data Authorizers tab. The Data Authorizers screen is displayed.
      3. Click New Authorizer. The General Details section opens, enabling you to define the new Authorizer.
      4. In the Vendor field, select the appropriate vendor. Options include: Google Big Query, Dendo, Snowflake.
      5. In the Name field, enter a unique name for the Authorizer. This is the name displayed on the Data Authorizers list.
      6. Enter a Description for the new Data Authorizer (optional).
      7. Click Create. The new Authorizer is added to the list of Data Authorizers.

      Viewing and Editing Data Authorizer Details

      You cannot edit the unique Authorizer ID automatically assigned to each Authorizer.

      1. Open the Environment Settings screen by clicking the Environment Settings icon.
      2. Select the Data Authorizers tab. The Data Authorizers screen is displayed.
      3. To edit the Name or Description of an Authorizer, click Edit.
      4. Downloading Deployment Packages
      5. To configure a Data Authorizer to work with the Authorization Platform, you need to download the deployment package for the Data Authorizer defined in the Platform.

      Download an Authorizer Deployment Package

      1. On the Environment Settings page, select Data Authorizers. The Data Authorizers screen is displayed.
      2. Select the Data Authorizer for which you wish to download the deployment package. The General Details for that Authorizer are displayed.
      3. Click Download. The Authenticator Deployment package is automatically downloaded to the default location.

      Deleting a Data Authorizer

      To delete an Authorizer:

      1. On the Environment Settings page, select Data Authorizers. The Data Authorizers screen is displayed.
      2. Hover over the Authorizer you wish to delete. A trash icon(image.png) is displayed.
      3. Click on the trash icon and in the Delete this Authorizer popup message, click Delete. The Authorizer is deleted.

      Policy Resolution Endpoint for Data Authorizers

      The Authorization Platform offers unique support for database-adaptive access using the Policy Resolution endpoint. This endpoint is designed to add/modify the SQL query the user is trying to perform, so that only authorized data is processed.

      The Response to the Policy Resolution request is based on the Asset Template type used (field vs data). Understanding the response structure can assist when troubleshooting. The following components of the response will be returned:

      • access – This section will demonstrate the list of the allowed data items. Authorization Response token for Assets based on Asset Template type field.
      • privileges– This section will demonstrate the logical filtering of the data. “allowed” and “denied” Response showing the ruleset of the Assets based on Asset Template type data.
        • Has access to (allowed)
        • Does not have access (denied) due to restricted policies

      With the option of getting two types of responses with one Authorization Request, Policy Resolution can also address very specific, complex use cases. More details on the Policy Resolution endpoint are available in the Developers Guide.

      The resulting access for an Account Manager for the table outlined above, will be the columns returning in the access section with the data filtered using the filter returning in the privileges section.

      Sample Response

      {
  "tokenValidity": 0,
  "response": [
    {
      //Column Level Access
      "access": [
        {
          "path": "111",
          "attributes": {
            "uid": [
              "111"
            ],
            "table": [
              "account"
            ],
            "column": [
              "account_id"
            ],
            "classification": [
              "public"
            ],
            "projectid": [
              "project1"
            ],
            "dataset": [
              "ds1"
            ]
          },
          "resourceType": "tables_columns",
          "actions": [
            {
              "action": "Access"
            }
          ]
        },
        {
          "path": "112",
          "attributes": {
            "uid": [
              "112"
            ],
            "table": [
              "account"
            ],
            "column": [
              "account_name"
            ],
            "classification": [
              "public"
            ],
            "projectid": [
              "project1"
            ],
            "dataset": [
              "ds1"
            ]
          },
          "resourceType": "tables_columns",
          "actions": [
            {
              "action": "Access"
            }
          ]
        },
        {
          "path": "113",
          "attributes": {
            "uid": [
              "113"
            ],
            "table": [
              "account"
            ],
            "column": [
              "branch"
            ],
            "classification": [
              "public"
            ],
            "projectid": [
              "project1"
            ],
            "dataset": [
              "ds1"
            ]
          },
          "resourceType": "tables_columns",
          "actions": [
            {
              "action": "Access"
            }
          ]
        }
      ],
      //Row Level Access
      "privileges": {
        "allowed": [
          {
            "resourceType": "project1.ds1.account",
            "actions": [
              {
                "action": "View",
                "asset-attributes-filter": {
                  "OR": [
                    {
                      "OR": [
                        {
                          "AND": [
                            {
                              "attribute": "branch",
                              "type": "STRING",
                              "operator": "EQUALS",
                              "values": [
                                "New York"
                              ],
                              "match": "any"
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              }
            ]
          }
        ],
        "denied": []
      }
    }
  ]
}
      Was this article helpful?
      What's Next