[teiid-issues] [JBoss JIRA] (TEIID-2327) Add column masking

Steven Hawkins (JIRA) jira-events at lists.jboss.org
Sat May 18 07:32:06 EDT 2013 

    [ https://issues.jboss.org/browse/TEIID-2327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12775200#comment-12775200 ] 

Steven Hawkins commented on TEIID-2327:
---------------------------------------

Switched the mask order to specify precedence, so the highest value is first (the default 0 will nominally be last). Also allowed the condition to be used with the mask, for example given the permissions in two roles of:

<permission>
   <resource-name>myTable.T2.col1</resource-name>
   <mask order="1">col2</mask>
</permission>

<permission>
   <resource-name>myTable.T2.col1</resource-name>
   <condition>col1 = user()</condition>
   <mask order="2">col1</mask>
</permission

They will effectively be combined as the mask expression:

case when col1 = user() then col1 else when true then col2 end

More on the implementation:
- row filters are applied before masking.  
- The affects of filtering/masking happen logically when the resource is accessed - and not just during the final projection.  RuleApplySecurity handles the application of security which occasionally necessitates inserting view layer to keep proper plan positioning.
- filtering and masking are allowed on virtual/physical tables/procedures
- if the condition is a constraint (the default) it will also be applied as an insert/update constraint for physical updates.  we may want to consider making it applicable to views as well.
- the row/column security is always in effect.  This may need to be refined as well.  The means that if a view and physical table row/column security is specified, then the table affect will happen first.  Also if row/column security is applicable to resources referenced in the conditions/masks (via subqueries) the affect of security is still applied.  A separate JIRA TEIID-2507 was logged specifically for lookups, which are prone to creating global results for something that should of a lesser scope.
                
> Add column masking
> ------------------
>
>                 Key: TEIID-2327
>                 URL: https://issues.jboss.org/browse/TEIID-2327
>             Project: Teiid
>          Issue Type: Sub-task
>          Components: Query Engine
>            Reporter: Steven Hawkins
>            Assignee: Steven Hawkins
>             Fix For: 8.4
>
>
> Support for column masking should be added to data roles.  A typical approach would be to only affect the final projected values from user queries and have only one mask applicable at a time.
> A possibly related ability would be to hide columns (much like hidden tables) to our metadata.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the teiid-issues mailing list