Watch full webinar here: https://bit.ly/3DsNyli Securitizing data is one of the most important tasks in an organization. Denodo can offer a wide range of data, gathering data from different sources, and delivering this data to many client applications and final users. When returning the data, Denodo provides several options to securitize the data, and just let the right users and client applications read this data. One of the options for achieving this purpose is using fine-grained privileges over the view. Join us in this session with Javier Gayoso, a Technical Consultant at Denodo, in which we will go into the importance of security policies based on fine-grained privileges over the views at different layers, and how this can be implemented in the Denodo Platform. This session is a follow-up to the Tech Talk session “Surpassing element by element access control: semantic-based security policies”, and previous knowledge on Denodo Security and the different features of fine-grained view privileges is recommended. Watch on-demand & learn: - Modeling fine-grained privileges in a multi-layer architecture using roles. - Designing the caching and smart query acceleration strategies considering the view security requirements.

1. Denodo TechTalks
Product Deep-Dive Series
A product deep-dive, webinar series covering
the critical capabilities of Denodo’s modern
data virtualization

2. Securitizing data
using fine-grained
privileges in multi-
layered virtual
models
Javier Gayoso
Technical Consultant
Denodo

3. AGENDA
1. Fine-grained privileges in a multi-layer
architecture using roles
2. Caching strategies considering the view security
requirements
3. Smart query acceleration strategies considering
the view security requirements
3

4. Fine-grained privileges in
a multi-layer architecture
using roles
4

5. ▪ Users acquire permission through roles
▪ Roles can be hierarchical
▪ The NIST RBAC model is based on positive
permissions
▪ A user can have several roles assigned and their
permissions are additive
Overview of the Role Based Access Control (RBAC) approach
Fine-grained privileges in a multi-layer architecture using roles
5

6. ▪ Fine-grained privileges should be defined on the final
views
▪ Defining fine-grained privileges in intermediate levels
of the view hierarchies can lead to management
complexities
▪ Choose the highest level view with that information
available
▪ In multi-layered virtual models, defining restrictions
at intermediate layers may be unavoidable
General Best Practices with Fine-Grained Privileges
Fine-grained privileges in a multi-layer architecture using roles
6

7. ▪ Virtual models in Denodo are usually designed following a layered architecture
▪ The chosen layers may vary but in order to illustrate the best practices we will use the
following layered structure
Multi-layered virtual model with several developer teams
Fine-grained privileges in a multi-layer architecture using roles
7

8. ▪ core_db: This database contains the views from the semantic layer. Among others it contains the
view EMPLOYEE.
▪ hr_db: This database contains the views of the Human Resources development team. The
development team of the HR department is allowed to create their own derived views on top of the
‘core_db’ views, and they have built the view MANAGER_SALARIES, which is a derived view built on
top of the EMPLOYEE view.
Setting Limits to the Views in Higher Layers
Fine-grained privileges in a multi-layer architecture using roles
8
Amanda
Ron

9. ▪ Giving execute access over a view to a user with privilege to create views and assign privileges, is
also indirectly transferring the ability to grant privileges to third users over that data.
▪ Fine-grained privileges allow us to set limits on this privilege, ensuring that certain security rules are
always applied.
Setting Limits to the Views in Higher Layers
Fine-grained privileges in a multi-layer architecture using roles
9

10. ▪ More conservative best practice: use of the Global security policies (only available with Denodo Enterprise Plus) to
deny indirect visibility of the EMPLOYEE view to any role not included in a explicit list of exceptions.
Setting Limits to the Views in Higher Layers
Fine-grained privileges in a multi-layer architecture using roles
10

11. 11
Restrictions in different
views in the same
hierarchy

12. ▪ Now, the ‘core_db’ layer exposes to higher layers the EMPLOYEE view which includes among other things the
employees’ usernames, salaries and department ids; and the DEPARTMENT view, which contains information about
the company departments including their id, name and geographical location.
Setting up limits when restrictions are specified in different views in the same hierarchy
Fine-grained privileges in a multi-layer architecture using roles
12

13. ▪ Deny indirect visibility using global policies
as described in the previous section.
▪ Creating a new view having all the columns
required to define the desired policies and
expose only that view to the higher layers.
Setting up limits when restrictions are specified in different views in the same hierarchy
Fine-grained privileges in a multi-layer architecture using roles
13
Sally

14. ▪ Deny indirect visibility
Setting up limits when restrictions are specified in different views in the same hierarchy
Fine-grained privileges in a multi-layer architecture using roles
14

15. ▪ Creating a new view having all the columns required
Setting up limits when restrictions are specified in different views in the same hierarchy
Fine-grained privileges in a multi-layer architecture using roles
15

16. Caching strategies
considering the view
security requirements
16

17. ▪ If a user without any fine-grained restrictions loads the cache, a user with role
sales_manager executing that view will see all data as will access the cache directly
Fine-grained privilege limitations using cache
Caching strategies considering the view security requirements
17

18. ▪ In the example, we could modify the permissions of sales_manager on SALARY_DETAILS to include the
same masking policy.
Define the restrictions on the cached view
Caching strategies considering the view security requirements
18

19. ▪ In order to provide different versions of the cached data to different users you can create different
views in Virtual DataPort so each role has access to each copy of the view.
Create different views aimed at different roles and cache each one with the data for each role
Caching strategies considering the view security requirements
19

20. ▪ It is not possible to define the same privilege at the top view level because the region column
is not available
Create different views aimed at different roles and cache each one with the data for each role
Caching strategies considering the view security requirements
20

21. Smart query acceleration
considering the view
security requirements
21

22. ▪ Denodo 8.0 includes a new feature called Smart Query Acceleration, which dynamically
selects pre-stored data to avoid performing some of the same data combinations
Modeling summaries considering fine-grained privileges
Smart query acceleration considering the view security requirements
22

23. ▪ SELECT deptno, max(salary) FROM SALARY_DETAILS GROUP BY 1
Create summaries using different versions of the dataset
Smart query acceleration considering the view security requirements
23

24. ▪ On the other hand, if a user with role hr_emea executes the same queries, the query
optimizer will detect that it cannot use the summary as the query for that user requires an
extra condition that is not included in the pre-stored data (see image below).
Create summaries using different versions of the dataset
Smart query acceleration considering the view security requirements
24

25. ▪ SELECT region, deptno, max(salary) FROM SALARY_DETAILS GROUP BY 1,2
Create a summary that includes the necessary fields to evaluate the restrictions.
Smart query acceleration considering the view security requirements
25

26. ▪ Define fine-grained privileges on the final views that are exposed to data consumers. In
multi-layered virtual models with several development teams this may not be enough.
▪ A user that create new views and decide who can execute them, this user also gains the
ability to decide who can indirectly see the data of the original views.
▪ Since at runtime Denodo applies fine-grained privileges separately at each view, it’s
important to ensure that appropriate restrictions to all roles are defined for all views that
can be combined to create higher level views.
▪ Consider using global policies to deny all indirect visibility through higher views of the
data, and then defining specific policies for the desired exceptions.
▪ Caching has additional configuration capabilities and it does not depend on the
optimizer decisions.
▪ Summaries offer more advantages, as more queries will potentially benefit from them.
Closing remarks
26

27. ▪ Best practices in designing fine-grained privileges in multi-layered virtual models
▪ Fine-grained privileges and caching best practices
▪ Fine-Grained Privileges at View Level
▪ Global Security Policies
References
27

28. Q&A
28

29. Thanks!
www.denodo.com info@denodo.co
m
© Copyright Denodo Technologies. All rights reserved
Unless otherwise specified, no part of this PDF file may be reproduced or utilized in any for or by any means, electronic or mechanical, including
photocopying and microfilm, without prior the written authorization from Denodo Technologies.