Guides

Protect a column with default settings

Suggest Edits

This guide explains how to protect columns using default settings, including transformers, access policies, and token access policies (in cases where the default transformer is tokenizing).

Column Defaults Overview

Column defaults are policies that apply to every accessor extracting data from a specific column. Column defaults do not apply to mutators. There are three key default settings:

  • Default transformers: Used to transform the data in the column, such as masking or tokenizing sensitive information.
  • Default access policies: Determine who can access the data in the column via an accessor, such as role checks or system identity checks.
  • Default token access policies: Determine who can access the data in the column via token resolution, such as role checks or system identity checks.

Example Use Cases for Default Transformers

  1. Default Masking Transformer for SSN Column
    1. Automatically apply a masking transformer to the SSN column in all queries to obscure sensitive data.
  2. Default Redaction Transformer for Patient Diagnosis Code Column
    1. Automatically redact the Patient Diagnosis Code column in all queries to ensure privacy.
  3. Default Tokenizing Transformer for Email Column
    1. Automatically tokenize the email column in all queries to secure user identities.

Example Use Cases for Default Access Policies

  1. Default Role Check for SSN Column
    1. Apply a role check access policy to the SSN column in all queries to ensure only authorized roles can access this sensitive data.
  2. Default Permission Check for Patient Diagnosis Code Column
    1. Apply a permission check access policy to the Patient Diagnosis Code column to ensure it is only accessible by users with specific permissions.
  3. Default System Identity Check for Credit Card Number Column
    1. Apply a system identity check access policy to the Credit Card Number column to allow only the financial system to read the credit card number.

Overriding Column Defaults for an Accessor

You can override column defaults for an individual accessor.

For Transformers:

  • Set a specific transformer on the column on the relevant accessor.

For Access Policies and Token Access Policies:

  • Use the boolean parameter AreColumnAccessPoliciesOverridden to disable all default policies for the accessor. This allows you to apply custom policies specific to the accessor.

For more details on how to override column defaults on an individual accessor, refer to the API reference.

Combining Policies

For any accessor that involves multiple columns with default access policies, the system will AND the following three types of policies:

  1. Global baseline policy: Applied to ensure baseline security.
  2. Column-default access policies: Applied unless overridden.
  3. Accessor-specific access policy composition: Applied in addition to the above policies.

This ensures that all policies work together to provide a robust security framework. For tokens generated by a given accessor, the same approach applies to token access policies.

Updated about 2 months ago