Security, data privacy, and data protection play a key role in every organization that must comply with policies and regulations that can vary across regions, data assets, etc. Real environments have multiple consuming applications that have varying forms of data holding sensitive information. So it's very important to define security policies in the data virtualization layer that allows for implementing semantic security rules across the data, independent of the technologies being used.

Denodo Global Security Policies allows defining security restrictions in the following ways:

• Applying restrictions that can be applied to all/some users that verify the defined conditions.
• Applying restrictions that can be applied to all/certain views that verify the defined conditions.
• Define the global security policy that applies based on what the user is executing, the roles, or session attributes.
• Define to what elements the policy applies to using tags.

Global policies can be created together with "Tags", which are labels that users can assign to views and corresponding columns. Global level policies are easier to manage than view restrictions (Row Restrictions and Column Privileges) because you have the advantage of assigning the policy to multiple views/columns at the same time.

What you'll learn

It is strongly advised to complete the Use Case: Agile BI tutorial before starting this one, as we are going to be using the resources (data source, base views and integrations) created on it.

If you have already completed it, please proceed to the next section. Otherwise, follow the subsequent instructions:

1. Launch the resources needed (check how in the Installation & Bootstrapping tutorial).
2. Log in Denodo Design Studio (user/password: admin/admin)
3. Import this VQL to Denodo by clicking into File > Import. Drag ‘n' drop the file, select Use custom password for sensitive data decryption, and enter denodo in the Password field.

If all steps have been executed correctly, you should observe the following in the Design Studio's elements tree:

Great! Now it's time to start the tutorial!

Let's get into the tutorial! We will explore the benefits of using tags and how to create and manage them using the Denodo Web Design Studio.

To create a tag click the menu File > New > Tag from Design Studio.

Enter the name of the tag and its description as shown. In this tutorial, we will create a tag to define confidential information about country sales.

• Name: confidential
• Description: This tag represents confidential information on total sales per country

Click on option and navigate to Tags on the left panel of Design Studio.

Once the tag is created, we are ready to assign the tags to views/columns. To do this, click the Tagged views link, from the server explorer of Design Studio drag and drop the view to the panel Tagged views.

For this tutorial, we will assign the tag to the monthly_sales_by_area and monthly_sales_by_country views as shown here:

Finally, click on the button.

Next, we can assign tags to columns!

To do this, click on Tagged Columns and from server explorer drag a view and in the popup, select the columns to tag. Let us include the following columns:

1. Drag and Drop the Report view monthly_sales_by_country. Choose the columns -> country, totalsales, year and click Ok

2. Drag and Drop the Report view monthly_sales_by_area. Choose the columns -> month, area, totalsales and click Ok

3. Click on button.

4. Finally, let's see how tags are represented in the views to which they are assigned to

Tags work based on the security policies defined over them. Once the respective security policies are assigned, Denodo will create a valid executable expression on the running query.

Import Tags from Data Governance tools

For now we have seen that we can create the Tags directly in Denodo. In addition, it is also possible to import tags from Data Governance Tools like Collibra.

Great work! We have our first tag created successfully. Let's continue to the next part of the tutorial to understand about security policies

In this section will understand about the global level security policies with some examples.

A global security policy represents a definition of privileges over views from a general vision. With this type of element, you are allowed to create restrictions on views working with abstract concepts, instead of with individual views or fields. It allows to specify the following:

• You can specify to whom the global security policy applies based on the user executing the query, the roles or session attributes.
• You can define to what elements the policy applies to using tags & finally, the applied restrictions which are also expressed using tags.

Global security policy can be enabled from the Design Studio.

Click on Administration > Semantic and Governance > Global Security Policies

To create a new security policy choose the New option from the Global Security Policies menu. Once you have clicked on New, a window popup to enter the required details for the policy creation.

Now, let's understand the different parameters available when creating a policy. These parameters can be defined based on the business requirements depending on the users, type of restrictions, etc

• Name - Name of the new Policy.
• Description - A description of the Global Security Policy.
• Enabled - Indicates if the Global Security Policy will be used on execution. Using this option you could disable the policies.
• Audience - Indicates to who the Global Security Policy applies to.
• Elements - Indicates to what elements the Global Security Policy applies to. Note that elements are referenced using tags, not individually.
• Restrictions - This is the applied restriction when the Global Security Policy is triggered

Before creating a new policy, let's create a new user in Design Studio, so we could see the policy in action. Let's navigate to Administration > User Management, click on +New, and create a new user named denodo_user.

• Name: tutorial
• Password: tut;0R1al
• Click on Save

• Once the user is created, let's assign some privileges over it. From the User Management window, select the tutorial user and click on Edit Privileges, provide Connect & Execute privileges over the tutorial database and save the changes.

The next step is to understand how to apply the security policies over the tags which we have created in the previous sections.

To begin with, let's create a new security policy by entering the following details. This policy is to mask_data for the tutorial user over the confidential tags

• Name: mask_confidential_data
• Description: The global security policy "mask_confidential_data" applies to the "tutorial" user for all the views of the database "tutorial". It has the restriction to mask the columns tagged as "confidential"

Great! Now, we have our first security policy with associated tags assigned.

Now, let us see how this works in real time:

• Logout from the Design Studio as "admin" and login again using the credentials of the tutorial user (tutorial / tut;0R1al)
• Once you login, you could see the tutorial database for this user based on the privileges we have assigned
• Open the view monthly_sales_by_country from the 4 - report views folder. Click on Query > Execute to execute the view.

Let us examine the execution, here you can notice that the columns country, totalsales & year are completely hidden for the monthly_sales_by_country view. In runtime, Denodo is checking the conditions defined in the security policy and then apply the restrictions over the associated tags

Congratulations!

Do you need more examples? It's your lucky day! The following section will show you some examples using Security policies and tags.

This section will cover two configuration examples that will show use cases on implementing security policies.

Example 1: We have a view with personal information of customers and we do not want users to see these columns.

Let's use for example the view bv_crm_address from the tutorial database. We could tag the fields street, city, zip, state and primay_phone accordingly as shown here:

Create a new Global Security Policy

Now, when "any user" accesses views tagged with "location", she will see the personal information masked.

Example 2: Deny the execution of a query for a specific user

If we create a Global Security Policy like the following one, we can deny the execution of queries of our user in the tutorial database:

With that policy, if the user tutorial tries to execute the bv_crm_address view, she will see this message:

With these examples, you have finished the Denodo Global Security Policies tutorial. Now it's time to continue exploring what the Denodo Platform can do for you, take a look at the official reference manuals and play with your own use cases.

Congratulations!