Creating query rewrite definitions

Learn how to create query rewrite definitions for data masking and access control scenarios.

Procedure

  1. Go to Protect > Security Policies > Query Rewrite Builder.
  2. Provide a unique and meaningful name for the query rewrite definition in the Name field.
  3. Create and parse a model query.
    1. Provide a model query in the Enter a model query field.
      For example, to create a rewrite definition preventing the use of SELECT * from statements, enter SELECT * from EMPLOYEE as a model.

    2. Click the DB Type menu and select a SQL parser to use with the model query.
    3. Click Parse to process the model query.
      Your model query will be broken down into individual components with each actionable component highlighted with underlined text.

  4. Define how to rewrite specific components of the model query.
    1. Click on an underlined component of the parsed query that you would like to rewrite. A dialog opens to help create your query rewrite definition.
      Options:

      • Select and modify an individual verb, field, or object from the parsed query
      • Add a component to the query (shown as gray underlined text next to the parsed query)
      • Rewrite the entire query by clicking the gray underlined [R] next to the parsed query

      In the example SELECT * from EMPLOYEE where we want to prevent the use of SELECT * from statements, click the * to provide rewrite content.

    2. The Change from field indicates what will be rewritten.
    3. The To field defines the rewritten component.

      For example, to prevent the use of SELECT * from statements, replace the * component with a list of specific objects: EMPNO, FIRSTNME, MIDINIT, LASTNAME, WORKDEPT, PHONENO, HIREDATE, JOB, EDLEVEL, SEX.

      Important: Rewrite definitions are based on syntax, so any statement with the form SELECT * from [OBJECT] will match the example. For instance, both SELECT * from DEPARTMENT and SELECT * from EMPLOYEE statements match our example. Query rewrite definitions can be restricted to specific objects using access policy rules. See Defining a security policy to activate query rewrite for instructions.
    4. Click Save to save the rewrite definition, then click Back to close the dialog.
  5. Review the output of the query rewrite definition using the Real time preview field and make any changes as needed.

    Using our example, SELECT * from EMPLOYEE is rewritten as SELECT EMPNO, FIRSTNME, MIDINIT, LASTNAME, WORKDEPT, PHONENO, HIREDATE, JOB, EDLEVEL, SEX from EMPLOYEE.

  6. When you are satisfied with the results, click Save to save your query rewrite definition.

    Your query rewrite definition is saved and displayed in the list of available query rewrite definitions in the Query Rewrite Builder.

What to do next

Continue working with query rewrite definitions:
  • Create additional definitions by clicking New and repeating the steps in this task.
  • Edit an existing query rewrite definition by double-clicking an item in the list of available query rewrite definitions.
  • Copy and edit an existing query rewrite definition by selecting the item in the list of available query rewrite definitions and clicking Clone.
  • Delete an existing query rewrite definition by selecting the item in the list of available query rewrite definitions and clicking Delete.
When you are finished working with query rewrite definitions, continue to the next step in this sequence to test and implement your definitions.