You can translate the question and the replies:

Mask personally identifiable data for all except users in a specific role?

I am trying to implement fairly simple, and I would think a universal, masking on a single view. There are three columns in the view, containing name, address and ssn for customers and I want to mask them for all users except a chosen fiew. What I have done is * create a tag called "personally_identifiable_data" * add the tag to the three columns * create a role called p_i_d * added a single user to that role When it comes to creating the policy it gets tricky. A pseudocode for the policy would be "for all views in all databases mask the columns tagged with personally_identifiable_data except unless user is in role p_i_d". This all sounds simple enough but I have not found a good solution for this as users can be in many roles and I don't want to have to check all policies when a new role is added etc. In the age of GDPR and such I would like this to be simple but .... If anyone has done something similar I would appreciate a hint. I am using Denodo 8.
01-06-2023 13:29:27 -0400

1 Answer

Greetings , Hope you are doing well. This depends mainly on the security model and policies implemented in your organization. Since different data layers are normally managed by different users; therefore, roles need to be controlled carefully to implement enough segregation of duties. In this case, several best practices can be implemented such as defining [roles]( with only needed permissions, implementing multiple global security policies with limited indirect access as well as developing appropriate [custom view policies]( For more detailed information, the following KB article describes the[ best practices in designing fine-grained privileges]( practices in designing fine-grained privileges in multi-layered virtual models). Hope this helps !
Denodo Team
04-06-2023 10:04:57 -0400
You must sign in to add an answer. If you do not have an account, you can register here