Authorization model for views
Data Virtualization uses the Db2 authorization model for views, which controls access to database objects (authorizations), along with masking and row filtering rules to enhance security by limiting access to data based on the defined conditions.
To determine whether you can access the view, Data Virtualization initiates the following Db2 authorization checks:
- Are you authorized to access the view through IBM Knowledge Catalog and Data Virtualization GRANTs?
- Is the creator of the view continuously authorized, through IBM Knowledge Catalog and Data Virtualization GRANTs, to access the objects and views that the view references?
- Authorization user scenario
-
The following diagram illustrates the scenario of a user (userA) that is authorized to access the Department expenses view but not the contents in the tables that the view references. The creator of the view (viewCreator), creates the Department expenses view from the Payroll and Transactions table, and must remain authorized to these objects that the view references, for the view to remain accessible to userA.
Column masking and row filtering model for views
- Data Virtualization applies column masking and row filters directly to objects that a view references, instead of applying them to a view in a governed catalog.
- Data Virtualization masks views according to the data protection rules that apply to the tables that the view dependency chain references.
- Masking and row filtering user scenario
-
The following diagram illustrates the scenario of when a user (userA) attempts to access the Department expenses view, Data Virtualization applies column masks and row filters to the underlying Payroll and Transactions tables. The resulting view is masked regardless of any column masking or filter rules that are applied directly to the Department expenses view. This process helps ensure that userA cannot bypass data protection rules applicable to the underlying data referenced by the Department expenses view.
Outcome truth tables
The following outcome truth tables indicate the net outcome for a view creator (viewCreator) and another user (userA) when they query a view (V1) that references tables (T1).
- The decisions in each table represent net outcomes from the applicable IBM Knowledge Catalog data protection rules.
- Consider this legend for the following outcome truth tables:
-
- Any decision
- Allow, Deny, Transform, or Transform → Deny
-
- Transform
- Column masking, row filtering, or both rules, apply.
-
- Transform → Deny
- The case when the Deny decision take precedence over a transformation (masking and row filtering) rule to the Default data convention and Rule action precedence is enacted. For more information, see Managing rule settings.
-
viewCreator decision on T1 | userA decision on T1 | viewCreator decision on V1 | userA decision on V1 | Net outcome for viewCreator on V1 from Data Virtualization |
---|---|---|---|---|
Allow1 | – | Allow | – | Allow |
Allow1 | – | Transform | – | Allow |
Any decision1 | – | Transform → Deny | – | Deny |
Any decision1 | – | Deny | – | Deny |
Transform1 | – | Allow | – | Transform decision for viewCreator on T1 |
Transform1 | – | Transform | – | Transform decision for viewCreator on T1 |
Transform → Deny1 | – | Any decision | – | Deny |
Deny1 | – | Any decision | – | Deny |
1Evaluation decision that is used in RCAC and authorization enforcement.
viewCreator decision on T1 | userA decision on T1 | viewCreator decision on V1 | userA decision on V1 | Net outcome for userA on V1 from Data Virtualization |
---|---|---|---|---|
Allow or Transform | Allow2 | – | Allow | Allow |
Allow or Transform | Allow2 | – | Transform | Allow |
Any decision | Any decision2 | – | Transform → Deny | Deny |
Any decision | Any decision2 | – | Deny | Deny |
Allow or Transform | Transform2 | – | Allow | Transform decision for userA on T1 |
Allow or Transform | Transform2 | – | Transform | Transform decision for userA on T1 |
Allow or Transform3 | Transform → Deny2 | – | Allow3 | Allow3 |
Allow or Transform3 | Transform → Deny2 | – | Transform3 | Allow3 |
Allow or Transform3 | Deny2 | – | Allow3 | Allow3 |
Transform → Deny or Deny | Any decision2 | – | Any decision | Deny |
2Evaluation decision that is used in RCAC enforcement.
3As long as viewCreator is not denied access to the tables that the view references, and userA is not denied access to the view itself, then userA has unrestricted access to the data unless a Transform-only rule applies to userA on the tables that the view references.