Global Security Policies Management
In this section will understand about the global level security policies with some examples.
Global Security Policies Management
A global security policy represents a definition of privileges over views from a general vision. With this type of element, you are allowed to create restrictions on views working with abstract concepts, instead of with individual views or fields. It allows to specify the following:
- You can specify to who the global security policy applies based on the user is executing, the roles or session attributes.
- You can define to what elements does the policy applies to using tags & finally, the applied restrictions which are also expressed using tags.
Creating a Global Security Policies
Global security policy can be enabled from the Design Studio. Click on
Administration > Semantic and Governance > Global Security Policies
To create a new security policy choose the New option from the Global Security Policies menu. Once you have clicked on New, a window popup to enter the required details for the policy creation.
Now, let's understand the different parameters available when creating a policy. These parameters can be defined based on the business requirements depending on the users, type of restrictions, etc
- Name - Name of the new Policy.
- Description - A description of the Global Security Policy.
- Enabled - Indicates if the Global Security Policy will be used on execution. Using this option you could disable the policies.
- Audience Indicates to who the Global Security Policy applies to. The options are
- All, Any role in list, All roles in list, Roles not in list, User not in list, Any user in list, All session attribute in list, Any session attribute in list, Session attribute not in list.
- Elements - Indicates to what elements the Global Security Policy applies to. Note that elements are referenced using tags, not individually. The options are:
- All views, Views tagged with any, Views tagged with all, Views not tagged with, Columns tagged with any, Columns tagged with all, Columns not tagged with
- Restrictions - This is the applied restriction when the Global Security Policy is triggered
- Username - denodo_user
- Password - Enter a password of your choice/denodo and click on Save
- Once the user is created, let's assign some privileges over it. From the User Management window, select the user > Edit Privileges, provide Connect & Execute over bitutorial database and save the changes.
- Logout from the Design Studio as admin and login again using the credentials of denodo_user
- Once you login, you could see the bitutorial database for this user based on the privileges we have assigned
- Open the view monthly_sales_country from the
04-reportsfolder. Click on
Execution Panel > Executeto execute the view.
- Now, execute the view monthly_sales_area by following the same step
Before creating a new policy, let's create a new user in Design Studio. Navigate to
Administration > User Management > New and create a new user named denodo_user
Applying Security Policy over Tags
The next step is to understand on applying the security policies over the tags which we created in the previous sections To begin with, let's create a new security policy and assign the tag by entering the following details. This policy is to mask_data for the denodo_user over the confidential tags
Great! Now, we have our first security policy with associated tag assigned. Now, let us see how this works in real time
Let us examine the execution, here you can notice that the columns country, year, & totalsales are completed hidden for the monthly_sales_country view. In runtime, Denodo will first check the conditions defined in the security policy and then apply the restrictions over the associated tags
Here, we could see the data has been completely masked for the columns based on the user. You have successfully learned about security policies in Denodo along with the Tags.
Do you need an example?
It's your lucky day! The following section will show you some examples using Security policies and tags.