hello! I am trying to implement RLS for
hello! I am trying to implement RLS for our embedded application but am running into something I would appreciate help on. I am able to create groups to apply for records with data, however we have a use case where we also need to apply RLS for null values. I created a group and tried many variations of null, but none worked as expected. is this possible, and if so, what is the correct syntax to use for the group name? Thank you!
7 Replies
I am using this documentation: https://docs.thoughtspot.com/cloud/latest/security-rls-concept
I tried these variations: null ; Null ; NULL ; {Null} ; {null} ; '{Null}'
Are you trying
ts_groups = {null}
? Where the user does not belong to any group ?I am actually trying to find a solution for how we can create a group that applies RLS to records with a null value in a column
my syntax is
ts_groups = to_string(column)
this is working when I set up groups for column values (i.e. I set up a group with name 1 and it filters correctly to where that column value = 1) ; however it is not working if I set up a group for null to try and apply RLS to restrict user access to records where that column value = null
I saw some other variation of this where we wanted to apply runtime filters where column value should be equal to null. In that case I think this worked:
Not sure if same will work for RLS though. What is the value in the table you get for null values when you do to_string(column)?
thank you! yes that works for runtime filters. I just tried ['{Null}'] for RLS and it did not work. it returns {Null} in the table but I tried that as well with no luck
We checked with the team. Seems like currently the best way to support this is one of the following:
1. Use runtime filters for RLS (With JWT runtime filters, these should be secure).
OR
2. Create a new column in the table which maps
NULL
to a string value that the groupname can match to.
What data warehouse are you using?thank you for those suggestions! we will try those approaches
we are just using SQL Server right now for data storage
is option 1 you provided above available in production environments?
or is it this feature that is not yet available in production? https://origamirisk-dev.thoughtspot.cloud/#/develop/documentation/en/?pageid=abac-user-parameters