Skip to main content

Data Row Level Filter

IOMETE Row-level Filter policies allow users to access only a subset of data based on the context in which they interact with the data. When utilizing a table with a row-filter, only a portion of rows will be visible to the user – as determined by the filter configuration within the row-filter policy.


Policy details

Policy details includes the following properties.
FieldDescription
Policy nameEnter an appropriate policy name. This name cannot be duplicated in another policy.
Enabled & DisabledThe policy is enabled by default. If disabled, the policy will not affect user queries.
Normal & OverrideWhen switched to Override, the access permissions in the policy override the access permissions in existing policies.
Add Validity PeriodSpecify a start and end time for the policy. (Optional)
DescriptionDescribe the purpose of the policy. (Optional)

Policy resources

FieldDescription
DatabaseChoose only one database. All available options are displayed in the selection. The search function helps you find an exact match.
TableChoose only one table. All available options are displayed in the selection based on the chosen database. The search function helps you find an exact match.
Wildcard

Wildcard matching is not supported in row level filter policy.

Row Filter Conditions

FieldDescription
Select Group

Specify one or more groups for whom this policy should be applied.


If no group is specified, you must provide a user.

Select User

Specify one or more users for whom this policy should be applied.


If no user is specified, you must provide a group.

Access Types

Currently select is the only available access type. This will be used in conjunction with the WHERE clause specified in the Row Level Filter field.

Row Level Filter

To create a row filter for the specified users, groups, and roles, Click Add Row Filter, then type a valid WHERE clause in the Enter filter expression box.


To allow Select access for the specified users and groups without row-level restrictions, do not add a row filter (leave the setting as "Add Row Filter").


Filters are evaluated in the order listed in the policy. The filter at the top of the Row Filter Conditions list is applied first, then the second, then the third, and so on.

New condition

To add additional conditions, click on the Add new condition button. The conditions are evaluated in the order they appear in the policy. The top condition is applied first, followed by the second, third, and so on.

Drag items from the left-side icon to reorder.

Row Level Filter use cases

Use Case: Users see only same-country customer records.

Let's use the customers table for row-level filtering feature use cases as well.

This use case focuses on implementing a row-level filtering policy for the customers table to restrict user access to customer records based on their respective countries. The objective is to ensure that users can only view records of customers located in the same country where they work. This policy will help maintain data privacy and comply with country-specific regulations.

row-level-filtering

Policy details

  • Target Table: customers table in default database.

    row level table

Filtering rule:

  • The policy enforces that users can only access customer records from their own country-specific group.
  • For instance, users belonging to the us_employees group can only access customer records for customers located in the United States. Similarly, users belonging to the uk_employees group can only access customer records for customers located in the United Kingdom.
  • The filtering is applied dynamically based on the user's country-specific group membership.

Group examples:

  • us_employees: For users working in the United States.
  • ca_employees: For users working in the Canada.
  • uk_employees: For users working in the United Kingdom.
  • Other country-specific groups can be created for different regions as per requirements. row level conditions
info

Default access type in row-level-filter is select

Rationale:

  • By implementing this row-level filtering policy, we ensure that users can only access customer data relevant to their work location, minimizing the risk of unauthorized access to sensitive information.

  • Users are restricted to view customer records within their country, promoting data privacy compliance and adhering to the principle of least privilege.

    Query Results

SELECT * from default.customers;
  • Sample Data Before Applying Row-Level-Filtering Policy: Consider a few records in the customers table before the Row-Level-Filtering policy is applied:

    row level sample data

  • Sample Data After Row-Level-Filtering :

    Once the Row-Level-Filtering policy is applied, the rows in customers table will show different results based on filtering.

    User Olivia, a member of uk-employees group: The result includes only customers in UK.

    row level use case

    User Jane, a member of ca-employees group: The result includes only customers in Canada.

    Untitled