USER MANUALS

Custom View Policies

Custom view policies are powerful query interceptors that are invoked by Virtual DataPort before a query is executed over a view. They offer a highly customizable alternative to standard row restrictions, allowing for sophisticated control over data access.

When a user queries a view with a custom view policy assigned, the policy can perform various actions:

  • Reject the query: The policy can completely block the execution of the query.

  • Accept the query without restrictions: The policy can allow the query to proceed as is.

  • Accept the query with restrictions: The policy can modify the query by, for example, limiting the number of rows returned or adding a filter condition.

To make these decisions, custom view policies have access to a rich set of parameters from the query’s context, including:

  • The actual query the user intends to execute.

  • The user’s name and their associated privileges.

  • A JMX connection to the Virtual DataPort server, enabling the policy to access any data within Virtual DataPort via JMX.

  • Other contextual information that allows for dynamic and intelligent decision-making.

Reusable and Configurable

Custom view policies are designed for reusability. The same custom policy can be assigned to:

  • Multiple views for a specific user or role.

  • Global security policies, facilitating the application of a single policy across numerous views, users, or other elements.

Furthermore, custom view policies can define configurable parameters. When a policy is assigned to a user or role over a view, these parameters can be customized to tailor the policy’s behavior. For instance, a policy designed to limit concurrent queries over a view could have a “Limit” parameter, allowing different limits to be set for different roles (e.g., “developer” vs. “application”).

Policy Evaluation Flow

When a user queries a view and has custom view policies assigned, the evaluation process follows these rules:

  • Custom view policies are not applied when the querying user is an administrator, a database administrator, or a user with the “serveradmin” role.

  • If the user has no roles and has custom view policies assigned, the Server evaluates each policy sequentially. If any policy rejects the query, the entire query is rejected.

  • If the user has one or more roles assigned (which may also have other roles assigned), custom view policies are evaluated in groups. Each role constitutes a group, including policies directly assigned to that role, and there’s a separate group for policies directly assigned to the user.

    • A group rejects a query if at least one policy within that group rejects it.

    • A group accepts a query if all policies within that group accept it.

    • The overall query is accepted if at least one group accepts the query.

For a detailed guide on developing custom policies, including code examples and advanced configurations, please refer to the Developing a Custom View Policy.

Add feedback