Contents x
      Sample Response and JSON Structure
      • 01 Sep 2024
      • 3 Minutes to read
      • Print
      • Dark
        Light
      • PDF
      Contents

      Sample Response and JSON Structure

      • Updated on 01 Sep 2024
      • 3 Minutes to read
      • Print
      • Dark
        Light
      • PDF
      Article summary

      Following is an example of the Policy Resolution JSON response for the “accounts” table. The full table being queried, as accessed by an admin (no restriction on the table) appears:

      The resulting access for an employee located in the US, for the “account” table outlined above, will look as follows when the full table is queried, and the policy outlined above is in place:

      The restricted columns are displayed as NULL, and only the records with the value LOB=”Sales” are displayed.

      Add the policyDataMapping Section to the config.json. For each table on which we want to enforce Access Policies, we need to add the table information to the mapping configuration in the PDP config.json:

      Sample Response

      {
  tokenValidity: 0,
  response: [
    {
      access: [
        {
          path: 14,
          attributes: {
            tablename: [
              accounts
            ],
            level_access: [
              2
            ],
            classification: [
              public
            ],
            columnname: [
              lob
            ],
            uid: [
              14
            ],
            databasename: [
              testing
            ]
          },
          resourceType: Columns_Denodo,
          actions: [
            {
              action: View
            }
          ]
        },
        {
          path: 7,
          attributes: {
            tablename : [
              accounts
            ],
            level_access: [
              1
            ],
            classification: [
              public
            ],
            columnname : [
              id
            ],
            uid: [
              7
            ],
            databasename : [
              testing
            ]
          },
          resourceType: Columns_Denodo,
          actions: [
            {
              action: View
            }
          ]
        },
        {
          path: 8,
          attributes: {
            tablename : [
              accounts
            ],
            level_access: [
              2
            ],
            classification: [
              public
            ],
            columnname : [
              account_name
            ],
            uid: [
              8
            ],
            databasename: [
              testing
            ]
          },
          resourceType: Columns_Denodo,
          actions: [
            {
              action: View
            }
          ]
        },
        {
          path: 9,
          attributes: {
            tablename : [
              accounts
            ],
            level_access: [
              1
            ],
            classification: [
              public
            ],
            columnname : [
              branch
            ],
            uid: [
              9
            ],
            databasename: [
              testing
            ]
          },
          resourceType: Columns_Denodo,
          actions: [
            {
              action: View
            }
          ]
        }
      ],
      privileges: {
        allowed: [
          {
            resourceType: testing.accounts,
            actions: [
              {
                action: View,
                asset-attributes-filter: {
                  OR: [
                    {
                      OR: [
                        {
                          AND: [
                            {
                              attribute: lob,
                              type: STRING,
                              operator: EQUALS,
                              values: [
                                Sales
                              ],
                              match: any
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              }
            ]
          }
        ],
        denied: []
      }
    }
  ]
}

      The full table being queried, as accessed by an admin (no restriction on the table):

      The resulting access for an employee located in the US, for the “account” table outlined above, will look as follows when the full table is queried, and the policy outlined above is in place:

      The restricted columns are displayed as NULL, and only the records with the value LOB=”Sales” are displayed.

      Add the policyDataMapping Section to the config.json. For each table on which we want to enforce Access Policies, we need to add the table information to the mapping configuration in the PDP config.json:

      JSON Structure

      
{
   "policyDataMapping":[
      {
         "resourceTypeId":"d98231b9-43e3-4f8d-bea0-e375f0bf803d",
         "mapping":[
            {
               "resourceFullPath":"admin.accounts_private",
               "attributes":[
                  {
                     "attributeName":"account_owner",
                     "resourceAttributeName":"account_owner"
                  },
                  {
                     "attributeName":"account_type",
                     "resourceAttributeName":"acct_type"
                  },
                  {
                     "attributeName":"balance",
                     "resourceAttributeName":"acct_balance"
                  }
               ]
            }
         ]
      }
   ]
}
      AttributeDescriptionNotes
      resourceTypeIdThe Asset Template GID (see details below for obtaining the GID)Required
      resourceFullPathThe full path to the table {database}.{table_name}. this is dependent of the vendor type.

      The full path may differ between different vendors/authorizers (e.g. Google BigQuery, Denodo, Trino, etc.).      		Required
      attributeNameThe name of the Attribute in the Platform.Optional
      resourceAttributeNameThe name of the actual column in the table.Optional

      NOTE: The attributeName and resourceAttributeName are optional in case where there is a full match between the Asset Template Attributes and the physical table column names. So, when specifying just the resourceFullPath the Attributes that are defined in the Asset Template will be used for filtering.

      Sample Request

      {
  "entityId": "xB724129",
  "clientId": "P5SUL3MHBHBHB5C0VFD9J",
  "clientSecret": "cOtZbPLaHUUHKHKJHKJHgeV02avpkYWvonlG4j",
  "environment": {
    "database": [
      "admin"
    ],
    "table": [
      "accounts_private"
    ],
    "resourceFullPath": [
      "admin.accounts_private"
    ]
  }
}

      Sample Response

      {
  "tokenValidity": 0,
  "response": [
    {
      "access": [],
      "privileges": {
        "allowed": [
          {
            "resourceType": "admin.accounts_private",
            "actions": [
              {
                "action": "View",
                "asset-attributes-filter": {
                  "OR": [
                    {
                      "OR": [
                        {
                          "AND": [
                            {
                              "attribute": "account_type",
                              "type": "STRING",
                              "operator": "EQUALS",
                              "values": [
                                "basic"
                              ],
                              "match": "any"
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              }
            ]
          }
        ],
        "denied": []
      }
    }
  ]
}
      Was this article helpful?
      What's Next