Home / Q&A / Custom Policy - Access to view parameters & Masking reason
You can translate the question and the replies:

Custom Policy - Access to view parameters & Masking reason

The need is to accept a view parameter which will contain some security related information/token from another internal system. Based on that info, the view columns needs to be masked or/and filter rows and return to the consuming application. The additional requirement is to add reason code if some of the columns get masked because of certain conditions. We could create stored procedures, parse the input string, apply the logic, build a result set, include reason code if column masking was done and finally return the result set. But this solution is neither reusable nor scalable if another view need to apply similar conditions. Since Custom Policies has access to the context and by which we could access the view fields, role details dynamically and apply logic there to filter/mask. We would like to understand whether it is a possibliity to access view parameter also inside the custom policy. We understand custom policies are interceptors, but we would like to leverage the security framework of Denodo and exploring options. For example here is the signature of the view and MyCustomPolicy is applied MyView(text FilterCondition) To summarize Is it possible to access a view's input parameter in the custom policy applied on that view? Secondly is it possible to add a reason code when masking occurs in a custom policy? Thanks in advance for your time.
Denodo 7.0
user
22-05-2020 15:43:45 -0400

5 Answers

Hi, To access the user-defined variables for a view inside the custom policy, I would use the getVariable(String name) method name in the CustomRestrictionPolicyContext Class. To know in detail of all the available methods in Context Class refer to the documentation [CustomRestrictionPolicyContext](https://community.denodo.com/docs/html/browse/7.0/vdp/javadoc/com/denodo/common/custom/policy/CustomRestrictionPolicyContext.html). To answer your second question, I would prefer to create my own catch block to print the reason code and configure a valid [CustomRestrictionPolicyType](https://community.denodo.com/docs/html/browse/7.0/vdp/javadoc/com/denodo/common/custom/policy/CustomRestrictionPolicyType.html) for this catch block. Hope this helps!
Denodo Team
26-05-2020 08:05:09 -0400
Thanks for your response. I tried getVariable function to get the view parameter value inside the custom policy assiged to that view, but it is returning null eventhough it has a default value set in the view. Please advice. Thanks for your time and help.
user
26-05-2020 08:44:38 -0400
Just to clarify more, I could see the field view parameter returned when I execute context.getFieldsInQuery(). When I try to getVariable on that view parameter, I am getting a null value. Is there anything specific that I need to do? Please advice.
user
26-05-2020 09:14:42 -0400
On the second question. To add more details, the reason code is an additional column that needs to be populated with a reason when a column(s) are masked for that row. Does suggested approach work for that scenario?
user
26-05-2020 09:19:31 -0400
The getVariable is returning null value as the user defined view parameter is not part of context. When I try to invoke the same view as below in VQL shell, the getVariable is returning the value. ``` select * from MyView where FilterCondition = getvar('FilterCondition', 'text', 'None') context('VAR FilterCondition' = 'All') ``` So, the view parameter needs to be part of the context. This view is exposed as REST API. How to either enforce the consuming application to pass this as part of context or how to change the query after Denodo receives this request? Also, please clarify regarding the second question as explained in the previous answer section. Thanks!
user
26-05-2020 12:07:38 -0400
You must sign in to add an answer. If you do not have an account, you can register here