Row and Column Filtering

Row-Level Filtering

It uses a single Asset Type/Template to control Row-Level Access across multiple tables with the same Row-Level Access Policy logic. To apply access control at the row level, a Virtual Asset Template needs to be created for each available table. The type of these templates needs to be set as “Data”. The template should contain those attributes that will be used in enforcing access for the specific table. In the example below, the attribute “LOB” is be used for the filtering of records by their line of business.

“Data” Asset Template, should represent the structure of the tables that are to be accessed, enabling filters on that level. The policy decision from the “data” templates, is used to build the “where” clause of the query. The following naming convention needs to be followed:

• The Asset Template name should be “database.table”, as set up in Denodo.

For example, for the table titled “accounts” in the Database “testing”, the template name should be “testing.accounts”

• The Attribute names in the template should match the column names to be used for filtering, as set up in Denodo.

The Denodo Authorizer utilizes SQL functions that are sent as part of the Policy Resolution response, which then supports additional and more complex conditions.

To support complex conditions:
Add the authz_ext. prefix to the Ruleset value to configure complex conditions in the Asset Rulesets.
e.g.

authz_ext.date_trunc('month', CURRENT_DATE) - INTERVAL '1 year'

Column Level Filtering

To apply access control at the column level, a single template per environment needs to be created. The type of these templates needs to be set as “Field”. The repository type can be either an internal asset template, or an external template (Recommended). The policy decision from the “field” template, is used to build the selectable columns of the query.
There are no constraints on the name of this template.

“Field” Asset Template, represents the columns of the table. Therefore, the following are mandatory attributes that should be created for the template:

• uid – a unique identifier for the column, as columns across different tables can share a common name.
• columnname – the name of the column as it appears in the Denodo.
• databasename – the name of the dataset the table is in, in Denodo.
• tablename – the name of the table in Denodo.
• Additional Attribute – optional, metadata that will be used to dynamically group columns and create policies at the attribute level

Important: The names to be used in mandatory attributes (columnname, tablename & databasename) are reserved names and should be defined as stated above in the configuration.

The name of each individual asset must match the column name of the table it represents, and the attributes of the assets in the template need to be identical to those used for the access decision. This is the metadata on which to base and calculate the access decision.