IOMETE Row-level Filter policies allow users to access only a subset of data based on the context in which they interact with the data. When utilizing a table with a row-filter, only a portion of rows will be visible to the user – as determined by the filter configuration within the row-filter policy.
Policy detailsPolicy details includes the following properties.
|Enter an appropriate policy name. This name cannot be duplicated in another policy.
|Enabled & Disabled
|The policy is enabled by default. If disabled, the policy will not affect user queries.
|Normal & Override
|When switched to Override, the access permissions in the policy override the access permissions in existing policies.
|Add Validity Period
|Specify a start and end time for the policy. (Optional)
|Describe the purpose of the policy. (Optional)
|Choose only one database. All available options are displayed in the selection. The search function helps you find an exact match.
|Choose only one table. All available options are displayed in the selection based on the chosen database. The search function helps you find an exact match.
Wildcard matching is not supported in row level filter policy.
Row Filter Conditions
Specify one or more groups for whom this policy should be applied.
If no group is specified, you must provide a user.
Specify one or more users for whom this policy should be applied.
If no user is specified, you must provide a group.
Currently select is the only available access type. This will be used in conjunction with the WHERE clause specified in the Row Level Filter field.
|Row Level Filter
To create a row filter for the specified users, groups, and roles, Click
To allow Select access for the specified users and groups without row-level restrictions, do not add a row
filter (leave the setting as "Add Row Filter").
Filters are evaluated in the order listed in the policy. The filter at the top of the Row Filter Conditions list is applied first, then the second, then the third, and so on.
To add additional conditions, click on the
Add new condition button. The conditions are evaluated in the order they appear in the policy. The top condition is applied first, followed by the second, third, and so on.
Drag items from the left-side icon to reorder.
Row Level Filter use cases
Use Case: Users see only same-country customer records.
Let's use the
customers table for row-level filtering feature use cases as well.
This use case focuses on implementing a row-level filtering policy for the
customers table to restrict user access to customer records based on their respective countries. The objective is to ensure that users can only view records of customers located in the same country where they work. This policy will help maintain data privacy and comply with country-specific regulations.
- The policy enforces that users can only access customer records from their own country-specific group.
- For instance, users belonging to the
us_employeesgroup can only access customer records for customers located in the United States. Similarly, users belonging to the
uk_employeesgroup can only access customer records for customers located in the United Kingdom.
- The filtering is applied dynamically based on the user's country-specific group membership.
us_employees: For users working in the United States.
ca_employees: For users working in the Canada.
uk_employees: For users working in the United Kingdom.
- Other country-specific groups can be created for different regions as per requirements.
Default access type in row-level-filter is
By implementing this row-level filtering policy, we ensure that users can only access customer data relevant to their work location, minimizing the risk of unauthorized access to sensitive information.
Users are restricted to view customer records within their country, promoting data privacy compliance and adhering to the principle of least privilege.
SELECT * from default.customers;
Sample Data Before Applying Row-Level-Filtering Policy: Consider a few records in the
customerstable before the Row-Level-Filtering policy is applied:
Sample Data After Row-Level-Filtering :
Once the Row-Level-Filtering policy is applied, the
customerstable will show different results based on filtering.
Olivia, a member of
uk-employeesgroup: The result includes only customers in UK.
Jane, a member of
ca-employeesgroup: The result includes only customers in Canada.