[ https://issues.jboss.org/browse/TEIID-2471?page=com.atlassian.jira.plugin... ] Steven Hawkins commented on TEIID-2471: --------------------------------------- There are a couple of considerations/paths to choose from here: 1. introduce an interface similar to the AuthorizationValidator/PolicyDecider to provide runtime control 2. allow the dataroles to in part or in whole be read in / updated through the metadata repository or other metadata extension. Unlike the authorization validation, which is performed only at the user query level and can easily be validated with each query access, the row/column logic is applied deeper in planning. Validating would require the interface to indicate if any row/column filter/mask had changed since the plan was formed and/or widen the EventDistributor logic to include a policy change event. There is also the related performance concern of caching the resolved/validate language object form of the respective expressions, which is hard to generalize for an interface. I'm more inclined to go with the latter approach and work out any details of on-demand modifications to the policy later. However the plugablity of metadata repositories doesn't match the declaration of data roles - which are vdb scoped. We may want to introduce another vdb extension point for pluggable role metadata. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira