Global Security Policies¶
Global Security Policies allow to define security restrictions that apply to all views/columns verifying certain conditions. See more about this in the page Global Security Policies of the Administration Guide.
The commands to manage a Global Security Policy are:
CREATE GLOBAL_SECURITY_POLICY
: creates a new global security policy. See the syntax below. Only administrators or local-administrators can run this.ALTER GLOBAL_SECURITY_POLICIES
: edit a global security policy. See the syntax below. Only administrators or local-administrators can run this.DESC VQL GLOBAL_SECURITY_POLICY
: obtains the VQL statement of global security policy. Only administrators or local-administrators can run this.LIST GLOBAL_SECURITY_POLICIES
: returns the names of all the global security policies at Virtual DataPort. Only administrators or local-administrators can run this. For local-administrators, this command only returns the global security policies visible by them.DROP GLOBAL_SECURITY_POLICY
: deletes a global security policy. Only administrators or local-administrators can run this.
CREATE [ OR REPLACE ] GLOBAL_SECURITY_POLICY <name:identifier>
[ DESCRIPTION = <description:literal> ]
ENABLED = { TRUE | FALSE }
AUDIENCE <audience>
ELEMENTS <elements>
RESTRICTION <restriction>
<audience> ::= (
ALL
| <application_type> ROLES ( <identifier_list:roles> )
| { ANY | NOT_IN } USERS ( <identifier_list:users> )
| <application_type> ABAC ( <abac_values_list:abac_attrs> )
)
<elements> ::=
[ <by_databases:databases> ] ALL VIEWS
| [ <by_databases:databases> ] VIEWS TAGGED { ANY | ALL } ( <identifier_list:tags> )
| [ <by_databases:databases> ] VIEWS NOT TAGGED ( <identifier_list:tags> )
| [ <by_databases:databases> ] COLUMNS TAGGED { ANY | ALL } ( <identifier_list:tags> )
| [ <by_databases:databases> ] COLUMNS NOT TAGGED ( <identifier_list:tags> )
<restriction> ::=
DENY
| DENY [ {ANY | ALL } ( <identifier_list:tags> ) ]
| CUSTOM <name:identifier> [ <parameters:custom_policy_parameters> ]
| <filter_condition:filter> REJECT
| <filter_condition:filter> REJECT { ANY | ALL } ( <identifier_list:tags> )
| <filter_condition:filter> MASKING { ANY | ALL } ( <identifier_list:tags> )
<application_type> ::=
ALL
| ANY
| NOT_IN
<parameters> ::= PARAMETERS <name:literal> <value> [, <name:literal> <value> ]*
<by_databases> ::= VIEW_DATABASES ( <identifier_list:databases> )
<filter_condition> ::= FILTER = <literal:condition>
<identifier_list> ::= <id:identifier> [, <id:identifier> ]*
<abac_values_list> ::= <name:literal> <abac_operator:operator> <value:literal> [, <name:literal> <abac_operator:operator> <value:literal> ]*
<abac_operator> ::=
=
| CONTAINS
| IN
| LIKE
Description of the main parameters of CREATE GLOBAL_SECURITY_POLICY
:
ENABLED
: indicates if it is applicable at runtime.AUDIENCE
: indicates to who the Global Security Policy applies to.ELEMENTS
: indicates to what elements the Global Security Policy applies to. Note that elements are referenced using tags, not individually.RESTRICTION
: restriction executed when the Global Security Policy is triggered.
ALTER GLOBAL_SECURITY_POLICIES ( <global_security_policies_status> );
<global_security_policies_status> ::= <global_security_policy_status> [, <global_security_policy_status> ]
<global_security_policy_status> ::= <name:identifier> ENABLED = { TRUE | FALSE }
This command can be used for enabling or disabling several global security policies.
Example
ALTER GLOBAL_SECURITY_POLICIES
("FILTER_ROWS_TO_DEVS_POLICY" ENABLED = false, "MASK_ROWS_TO_DEVS_POLICY" ENABLED = false);