While this doesn't solve row-based restrictions, it would solve column / object based restrictions.

Support PicketBox / XACML authorization --------------------------------------- Key: TEIID-3255 URL: https://issues.jboss.org/browse/TEIID-3255 Project: Teiid Issue Type: Feature Request Components: OData Affects Versions: 8.9 Reporter: John Muller Fix For: Open To Community We would like the OData, OData4, JDBC, and ODBC transports of Teiid to act as an XACML policy enforcement point for all CRUD operations (as well as execute stored procedures). Looking through old JIRAs: https://issues.jboss.org/browse/TEIID-1031 it looks like this was considered back in the mid-2010 timeframe, but wasn't fully thought through. With XACML 3.0, it's possible to use Multiple Decision Profile to get all policy decisions for a given user / resource (or just everything for a user for multiple resources). Our idea here is to have Teiid set the action to be one of (SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|EXECUTE) and the resource to be the fully qualified table (vdbName, SchemaName, TableName) plus a map of projected columns by the query. While this doesn't solve row-based restrictions, it would solve column / object based restrictions. MDP could be used to get policy decisions for all objects under a given schema. Thoughts?