| Table of Contents | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Tagging
Tags can be used to classify views or columns in Denodo to make browsing easier, or for application of security policies.
...
Here is a guide to Global Security Policies in Denodo: https://community.denodo.com/docs/html/browse/9.0/en/vdp/administration/global_security_policies/global_security_policies
Column-level Security
While data classification is still a work in progress at Tufts, below is a table of some draft classifications.
...
| Code Block |
|---|
CREATE OR REPLACE GLOBAL_SECURITY_POLICY mask_restricted_columns
DESCRIPTION = 'Masks all columns that have the restricted tag for non-admins without the restricted role.'
ENABLED = TRUE
AUDIENCE (
NOT_IN ROLES ("grp_ds_denodo-admin", restricted)
)
ELEMENTS (
ALL VIEWS
)
RESTRICTION (
FILTER = ''
MASKING ANY (restricted) WITH (HIDE) (numbers WITH DEFAULT, datetimes WITH DEFAULT, texts WITH DEFAULT)
); |
Demo
A test view test.security test has been created in the test VDB.
...
Each of these three queries demonstrates a different level of masking
General
| Code Block |
|---|
select * from test.security_test context('impersonate_roles' = 'general'); |
...
Confidential
| Code Block |
|---|
select * from test.security_test context('impersonate_roles' = 'confidential'); |
...
Restricted
Note that the confidential role has been added to restricted so it can satisfy any confidential policy restriction as well
| Code Block |
|---|
select * from test.security_test context('impersonate_roles' = 'restricted'); |
...