Security, data privacy, and data protection play a key role in every organization that must comply with policies and regulations that can vary across regions, data assets, etc. Real environments have multiple consuming applications that have varying forms of data holding sensitive information. So it's very important to define security policies in the data virtualization layer that allows for implementing semantic security rules across the data, independent of the technologies being used.

Denodo Global Security Policies allows defining security restrictions in the following ways:

  • Applying restrictions that can be applied to all/some users that verify the defined conditions.
  • Applying restrictions that can be applied to all/certain views that verify the defined conditions.
  • Define the global security policy that applies based on what the user is executing, the roles, or session attributes.
  • Define to what elements the policy applies to using tags.

Global policies can be created together with "Tags", which are labels that users can assign to views and corresponding columns. Global level policies are easier to manage than view restrictions (Row Restrictions and Column Privileges) because you have the advantage of assigning the policy to multiple views/columns at the same time.

What you'll learn

  • Creating and Managing Tags
  • Global Security Policies Management
  • Creating a Global Security Policy
  • Applying Security Policy over Tags
  • Real-Time Examples

We will learn how to use the Denodo Platform to "create tags" and "assign security policies" along with several examples

In this section, we will explore the benefits of using tags and how to create and manage them using the Denodo Web Design Studio.

Tags are the labels that can be assigned to the view/columns. It allows users to search with more accuracy & it is another way of organizing and browsing the views of Design Studio and the Administration Tool.

Let's get into the tutorial! Launch the Web Design studio from the Denodo Control center and we are going to create our first Tag.

To create a tag click the menu File > New > Tag from Design Studio.

Enter the name of the tag and its description as shown. In this tutorial, we will create tags to define confidential information about country sales.

Click on Save option and navigate to Tags on the left panel of Design Studio.

Assigning Tags

Once the tag is created, we are ready to assign the tags to views/columns. To do this, click the Tagged views tab, from the server explorer of Design Studio drag and drop the view to the panel Tagged views.

For this tutorial, we will assign the tag to the following views as shown here:

Next, we can assign tags to columns. To do this, click Tagged Columns and from server explorer drag a view and in the popup, select the columns to tag. Let us include the following columns:

  1. Drag and Drop the Report view monthly_sales_country. Choose the columns -> country, totalsales, year and click Ok
  2. Drag and Drop the Report view monthly_sales_area. Choose the columns -> month, area, totalsales and click Ok
  3. Click on Save option.

4. Finally, let's see how tags are represented in the views to which they are assigned to

How does a Tag work?

  1. Tags work based on the security policies defined over them
  2. Once the respective security policies are assigned, Virtual DataPort will use a field from the accessed view tagged with that tag for creating a valid executable expression on the running query.
  3. When a user executes a query accessing a view which triggers our Global Security Policy, the fields tagged with "tags you create" will be masked using the custom expression.

Great work!

We have our first tag created successfully. Let's continue to the next part of the tutorial to understand about security policies

In this section will understand about the global level security policies with some examples.

A global security policy represents a definition of privileges over views from a general vision. With this type of element, you are allowed to create restrictions on views working with abstract concepts, instead of with individual views or fields. It allows to specify the following:

  • You can specify to who the global security policy applies based on the user executing the query, the roles or session attributes.
  • You can define to what elements the policy applies to using tags & finally, the applied restrictions which are also expressed using tags.

Creating a Global Security Policies

Global security policy can be enabled from the Design Studio. Click on Administration > Semantic and Governance > Global Security Policies

To create a new security policy choose the New option from the Global Security Policies menu. Once you have clicked on New, a window popup to enter the required details for the policy creation.

Now, let's understand the different parameters available when creating a policy. These parameters can be defined based on the business requirements depending on the users, type of restrictions, etc

  • Name - Name of the new Policy.
  • Description - A description of the Global Security Policy.
  • Enabled - Indicates if the Global Security Policy will be used on execution. Using this option you could disable the policies.
  • Audience - Indicates to who the Global Security Policy applies to. The options are: All, Any role in list, All roles in list, Roles not in list, User not in list, Any user in list, All session attribute in list, Any session attribute in list, Session attribute not in list.
  • Elements - Indicates to what elements the Global Security Policy applies to. Note that elements are referenced using tags, not individually. The options are: All views, Views tagged with any, Views tagged with all, Views not tagged with, Columns tagged with any, Columns tagged with all, Columns not tagged with.
  • Restrictions - This is the applied restriction when the Global Security Policy is triggered

  • Before creating a new policy, let's create a new user in Design Studio. Navigate to Administration > User Management > New and create a new user named "denodo_user".
  • Username - denodo_user
  • Password - Enter a password of your choice (or) denodo and click on Save
  • Once the user is created, let's assign some privileges over it. From the User Management window, select the user > Edit Privileges, provide Connect & Execute over bitutorial database and save the changes.

Applying Security Policy over Tags

The next step is to understand how to apply the security policies over the tags which we have created in the previous sections. To begin with, let's create a new security policy and assign the tag by entering the following details. This policy is to mask_data for the denodo_user over the confidential tags

Great! Now, we have our first security policy with associated tag assigned. Now, let us see how this works in real time

  • Logout from the Design Studio as "admin" and login again using the credentials of denodo_user
  • Once you login, you could see the bitutorial database for this user based on the privileges we have assigned
  • Open the view monthly_sales_country from the 04-reports folder. Click on Execution Panel > Execute to execute the view.

Let us examine the execution, here you can notice that the columns country, year, & totalsales are completely hidden for the monthly_sales_country view. In runtime, Denodo will first check the conditions defined in the security policy and then apply the restrictions over the associated tags

  • Now, execute the view monthly_sales_area by following the same step

Here, we could see the data has been completely masked for the columns based on the user. You have successfully learned about security policies in Denodo along with the Tags.


Do you need an example?

It's your lucky day! The following section will show you some examples using Security policies and tags.

Real-Time Examples

This section will cover two configuration examples that will show use cases on implementing security policies.

Example 1: We have a view with the addresses of customers and we do not want users to see these columns.

Let's use the view address from the tutorial database.

  • Create tags location, zip_code, phone and map it accordingly as shown here:

  • Create a new Global Security Policy

  • Login into the Design Studio, with "denodo_user" credentials and execute the view address

Since now, when "denodo_user" access to views tagged with "locations" will see data masked for fields tagged with "location", "zip_code" or "phone_number". The same security policy can also be achieved by assigning the tags to a particular role (when that role has many users).

Example 2: Create a Global Security Policy denying the execution for the user

Let's use the same view address from the tutorial database.

  • Create a new Global Security Policy

  • Login into the Design Studio, with "denodo_user" credentials and execute the view address

Since now, "denodo_user" does not have access to views tagged with "locations". The same security policy can also be achieved by assigning the tags to a particular role (when that role has many users).

With these examples, you have finished the Denodo Global Security Policies tutorial. Now it's time to continue exploring what the Denodo Platform can do for you, take a look at the official reference manuals and play with your own use cases.