Sample Response and JSON Structure
    • 01 Sep 2024
    • 3 Minutes to read
    • Dark
      Light
    • PDF

    Sample Response and JSON Structure

    • Dark
      Light
    • PDF

    Article summary

    Following is an example of the Policy Resolution JSON response for the “accounts” table. The full table being queried, as accessed by an admin (no restriction on the table) appears:

    The resulting access for an employee located in the US, for the “account” table outlined above, will look as follows when the full table is queried, and the policy outlined above is in place:

    The restricted columns are displayed as NULL, and only the records with the value LOB=”Sales” are displayed.

    Add the policyDataMapping Section to the config.json. For each table on which we want to enforce Access Policies, we need to add the table information to the mapping configuration in the PDP config.json:

    Sample Response

    {
      tokenValidity: 0,
      response: [
        {
          access: [
            {
              path: 14,
              attributes: {
                tablename: [
                  accounts
                ],
                level_access: [
                  2
                ],
                classification: [
                  public
                ],
                columnname: [
                  lob
                ],
                uid: [
                  14
                ],
                databasename: [
                  testing
                ]
              },
              resourceType: Columns_Denodo,
              actions: [
                {
                  action: View
                }
              ]
            },
            {
              path: 7,
              attributes: {
                tablename : [
                  accounts
                ],
                level_access: [
                  1
                ],
                classification: [
                  public
                ],
                columnname : [
                  id
                ],
                uid: [
                  7
                ],
                databasename : [
                  testing
                ]
              },
              resourceType: Columns_Denodo,
              actions: [
                {
                  action: View
                }
              ]
            },
            {
              path: 8,
              attributes: {
                tablename : [
                  accounts
                ],
                level_access: [
                  2
                ],
                classification: [
                  public
                ],
                columnname : [
                  account_name
                ],
                uid: [
                  8
                ],
                databasename: [
                  testing
                ]
              },
              resourceType: Columns_Denodo,
              actions: [
                {
                  action: View
                }
              ]
            },
            {
              path: 9,
              attributes: {
                tablename : [
                  accounts
                ],
                level_access: [
                  1
                ],
                classification: [
                  public
                ],
                columnname : [
                  branch
                ],
                uid: [
                  9
                ],
                databasename: [
                  testing
                ]
              },
              resourceType: Columns_Denodo,
              actions: [
                {
                  action: View
                }
              ]
            }
          ],
          privileges: {
            allowed: [
              {
                resourceType: testing.accounts,
                actions: [
                  {
                    action: View,
                    asset-attributes-filter: {
                      OR: [
                        {
                          OR: [
                            {
                              AND: [
                                {
                                  attribute: lob,
                                  type: STRING,
                                  operator: EQUALS,
                                  values: [
                                    Sales
                                  ],
                                  match: any
                                }
                              ]
                            }
                          ]
                        }
                      ]
                    }
                  }
                ]
              }
            ],
            denied: []
          }
        }
      ]
    }
    

    The full table being queried, as accessed by an admin (no restriction on the table):

    The resulting access for an employee located in the US, for the “account” table outlined above, will look as follows when the full table is queried, and the policy outlined above is in place:

    The restricted columns are displayed as NULL, and only the records with the value LOB=”Sales” are displayed.

    Add the policyDataMapping Section to the config.json. For each table on which we want to enforce Access Policies, we need to add the table information to the mapping configuration in the PDP config.json:

    JSON Structure

    
    {
       "policyDataMapping":[
          {
             "resourceTypeId":"d98231b9-43e3-4f8d-bea0-e375f0bf803d",
             "mapping":[
                {
                   "resourceFullPath":"admin.accounts_private",
                   "attributes":[
                      {
                         "attributeName":"account_owner",
                         "resourceAttributeName":"account_owner"
                      },
                      {
                         "attributeName":"account_type",
                         "resourceAttributeName":"acct_type"
                      },
                      {
                         "attributeName":"balance",
                         "resourceAttributeName":"acct_balance"
                      }
                   ]
                }
             ]
          }
       ]
    }
    
    AttributeDescriptionNotes
    resourceTypeIdThe Asset Template GID (see details below for obtaining the GID)Required
    resourceFullPathThe full path to the table {database}.{table_name}. this is dependent of the vendor type.

    The full path may differ between different vendors/authorizers (e.g. Google BigQuery, Denodo, Trino, etc.).
    Required
    attributeNameThe name of the Attribute in the Platform.Optional
    resourceAttributeNameThe name of the actual column in the table.Optional

    NOTE: The attributeName and resourceAttributeName are optional in case where there is a full match between the Asset Template Attributes and the physical table column names. So, when specifying just the resourceFullPath the Attributes that are defined in the Asset Template will be used for filtering.

    Sample Request

    {
      "entityId": "xB724129",
      "clientId": "P5SUL3MHBHBHB5C0VFD9J",
      "clientSecret": "cOtZbPLaHUUHKHKJHKJHgeV02avpkYWvonlG4j",
      "environment": {
        "database": [
          "admin"
        ],
        "table": [
          "accounts_private"
        ],
        "resourceFullPath": [
          "admin.accounts_private"
        ]
      }
    }
    

    Sample Response

    {
      "tokenValidity": 0,
      "response": [
        {
          "access": [],
          "privileges": {
            "allowed": [
              {
                "resourceType": "admin.accounts_private",
                "actions": [
                  {
                    "action": "View",
                    "asset-attributes-filter": {
                      "OR": [
                        {
                          "OR": [
                            {
                              "AND": [
                                {
                                  "attribute": "account_type",
                                  "type": "STRING",
                                  "operator": "EQUALS",
                                  "values": [
                                    "basic"
                                  ],
                                  "match": "any"
                                }
                              ]
                            }
                          ]
                        }
                      ]
                    }
                  }
                ]
              }
            ],
            "denied": []
          }
        }
      ]
    }
    

    Was this article helpful?

    What's Next