Creating or Editing Column Filter Policies
You can use the TDV user interface to lead you through the creation of policies for Column-Based security.
Column names referenced in the filter expression are not validated. You must test each Column Filter policy that you define to make sure that it works as expected. For example, if a filter is on REGION_NAME in the LOCATION table and the column is changed to REGION_CODE, the filter must be updated to reflect that change.
Note: There is no ranking or priority of the rules within a Column Filter policy. If a user or group is assigned to more than one rule within a Column Filter policy, the two predicates are combined using OR statements.
To add or edit a Column-Based security policy
| 1. | Follow the instructions in Enabling Column-Based Security on TDV Resources. |
| 2. | To add a new Column Filter policy, click Add Policy. Or, to edit an existing Column Filter policy, select it and click Edit Policy. |
| 3. | Select or specify values for the following fields: |
|
Field |
Specify |
|||||||||||||||||||||||||||
|
Policy Name |
Specifies the name you want to give to the Column Filter policy. Spaces and ‘/’ are not allowed. |
|||||||||||||||||||||||||||
|
Data Type |
|
|||||||||||||||||||||||||||
|
Enabling |
Regardless of this setting, you can still add and edit the Column Filter policy. If the policy is disabled, it is not used against the data. |
|||||||||||||||||||||||||||
|
Annotation |
(Optional) Type an explanation of the Column Filter policy. |
| 4. | Select the row in the table on the page. |
| 5. | Select the pencil to edit a rule or select Add Rule to add a new rule. |
|
Field |
Specify |
||||||||||||||||||
|
Apply To |
Specifies whether this identity is for a Group or a User. Not available for the default policy, because that policy governs all users and groups. |
||||||||||||||||||
|
Domain |
Specifies the Domain to which you want the Column Filter policy to apply. Not available for the default policy, because that policy governs all users and groups. |
||||||||||||||||||
|
User/Group |
Specifies the user or group name to which you want the Column Filter policy to apply. Not available for the default policy, because that policy governs all users and groups. |
||||||||||||||||||
|
Rule Type |
Specify:
Partial String Mask is available only if you selected String as the Data Type. A default rule is required and is added by default for column-based security. The order of the default rules cannot be changed. You can, however, change the rule type for the default rule. |
| 6. | Depending on the Rule Type that you select, you can specify values for the following: |
|
Rule Type |
Specify |
|||||||||
|
Original Value |
No further fields to edit. |
|||||||||
|
Null |
No further fields to edit. All values for the column will display as Null values. |
|||||||||
|
Static Value |
Type the value to display for the column data. For example, alwaysthesame. |
|||||||||
|
Partial String Mask |
Type values for:
|
|||||||||
|
Custom Function |
Select a custom function from the list. This must be a custom function that you have defined in Studio and it must have at least one input and one output. |
|||||||||
|
Expression |
Type and expression in the text field. It can be any valid expression syntax. |
| 7. | Click Apply. |
| 8. | Click Save. |
Example of Expression
Any expression can replace the column in select statement when it apply to column.
Example 1:
Select “columnname” from “tablename”
If you define expression to “columnname”, the select statement is rewritten:
select “expression” as “columnname” from “tablename”
Example 2:
If you want to use the same expression for more than one column, you can use a placeholder instead of the column name.
CAST(LPAD('X', LENGTH($PARAM$)-4, ‘X’) || SUBSTRING($PARAM$, LENGTH($PARAM$)-3) AS VARCHAR(30))
At the time of policy assignment, you will be prompted to assign a value for the parameter $PARAM$. Use this parameter to assign the expression to any column you need.