Global Security Policies

Global Security Policies allow to define security restrictions that apply to all views/columns verifying certain conditions. See more about this in the page Global Security Policies of the Administration Guide.

The commands to manage a Global Security Policy are:

  • CREATE GLOBAL_SECURITY_POLICY: creates a new global security policy. See the syntax below. Only administrators or local-administrators can run this.

  • ALTER GLOBAL_SECURITY_POLICIES: edit a global security policy. See the syntax below. Only administrators or local-administrators can run this.

  • DESC VQL GLOBAL_SECURITY_POLICY: obtains the VQL statement of global security policy. Only administrators or local-administrators can run this.

  • LIST GLOBAL_SECURITY_POLICIES: returns the names of all the global security policies at Virtual DataPort. Only administrators or local-administrators can run this. For local-administrators, this command only returns the global security policies visible by them.

  • DROP GLOBAL_SECURITY_POLICY: deletes a global security policy. Only administrators or local-administrators can run this.

Syntax of the CREATE GLOBAL_SECURITY_POLICY statement
CREATE [ OR REPLACE ] GLOBAL_SECURITY_POLICY <name:identifier>
    [ DESCRIPTION = <description:literal> ]
    ENABLED =  { TRUE | FALSE }
    AUDIENCE <audience>
    ELEMENTS <elements>
    RESTRICTION <restriction>

<audience> ::= (
     ALL
     | <application_type> ROLES ( <identifier_list:roles> )
     | { ANY | NOT_IN } USERS ( <identifier_list:users> )
     | <application_type> ABAC ( <key_values_list:abac_attrs> )
    )

<elements> ::=
    [ <by_databases:databases> ] ALL VIEWS
    | [ <by_databases:databases> ] VIEWS TAGGED { ANY | ALL } ( <identifier_list:tags> )
    | [ <by_databases:databases> ] VIEWS NOT TAGGED ( <identifier_list:tags> )
    | [ <by_databases:databases> ] COLUMNS TAGGED { ANY | ALL } ( <identifier_list:tags> )
    | [ <by_databases:databases> ] COLUMNS NOT TAGGED ( <identifier_list:tags> )

<restriction> ::=
    DENY
    | DENY [ {ANY | ALL } ( <identifier_list:tags> ) ]
    | CUSTOM <name:identifier> [ <parameters:custom_policy_parameters> ]
    | <filter_condition:filter> REJECT
    | <filter_condition:filter> REJECT { ANY | ALL } ( <identifier_list:tags> )
    | <filter_condition:filter> MASKING { ANY | ALL } ( <identifier_list:tags> )

<application_type> ::=
    ALL
    | ANY
    | NOT_IN

<parameters> ::= PARAMETERS name:literal <value> [, name:literal <value> ]*

<by_databases> ::= VIEW_DATABASES ( <identifier_list:databases> )

<filter_condition> ::= FILTER = <literal:condition>

<identifier_list> ::= id:identifier [, id:identifier ]*

Description of the main parameters of CREATE GLOBAL_SECURITY_POLICY:

  • ENABLED: indicates if it is applicable at runtime.

  • AUDIENCE: indicates to who the Global Security Policy applies to.

  • ELEMENTS: indicates to what elements the Global Security Policy applies to. Note that elements are referenced using tags, not individually.

  • RESTRICTION: restriction executed when the Global Security Policy is triggered.

Syntax of the ALTER GLOBAL_SECURITY_POLICIES statement
ALTER GLOBAL_SECURITY_POLICIES ( <global_security_policies_status> );

<global_security_policies_status> ::= <global_security_policy_status> [, <global_security_policy_status> ]

<global_security_policy_status> ::= <name:identifier> ENABLED =  { TRUE | FALSE }

This command can be used for enabling or disabling several global security policies.

Example

Disabling global security policies FILTER_ROWS_TO_DEVS_POLICY and MASK_ROWS_TO_DEVS_POLICY.
ALTER GLOBAL_SECURITY_POLICIES
   ("FILTER_ROWS_TO_DEVS_POLICY" ENABLED = false, "MASK_ROWS_TO_DEVS_POLICY" ENABLED = false);