hello! I am trying to implement RLS for

hello! I am trying to implement RLS for our embedded application but am running into something I would appreciate help on. I am able to create groups to apply for records with data, however we have a use case where we also need to apply RLS for null values. I created a group and tried many variations of null, but none worked as expected. is this possible, and if so, what is the correct syntax to use for the group name? Thank you!
7 Replies
Lexi Wagner
Lexi WagnerOP3mo ago
I am using this documentation: https://docs.thoughtspot.com/cloud/latest/security-rls-concept I tried these variations: null ; Null ; NULL ; {Null} ; {null} ; '{Null}'
ashish
ashish3mo ago
Are you trying ts_groups = {null} ? Where the user does not belong to any group ?
Lexi Wagner
Lexi WagnerOP3mo ago
I am actually trying to find a solution for how we can create a group that applies RLS to records with a null value in a column my syntax is ts_groups = to_string(column) this is working when I set up groups for column values (i.e. I set up a group with name 1 and it filters correctly to where that column value = 1) ; however it is not working if I set up a group for null to try and apply RLS to restrict user access to records where that column value = null
shikharTS
shikharTS3mo ago
I saw some other variation of this where we wanted to apply runtime filters where column value should be equal to null. In that case I think this worked:
runtimeFilters: [{
columnName: 'colName', // eg: color
operator: RuntimeFilterOp.EQ,
values: ['{Null}'] // eg: red
}],
runtimeFilters: [{
columnName: 'colName', // eg: color
operator: RuntimeFilterOp.EQ,
values: ['{Null}'] // eg: red
}],
Not sure if same will work for RLS though. What is the value in the table you get for null values when you do to_string(column)?
Lexi Wagner
Lexi WagnerOP3mo ago
thank you! yes that works for runtime filters. I just tried ['{Null}'] for RLS and it did not work. it returns {Null} in the table but I tried that as well with no luck
ashish
ashish3mo ago
We checked with the team. Seems like currently the best way to support this is one of the following: 1. Use runtime filters for RLS (With JWT runtime filters, these should be secure). OR 2. Create a new column in the table which maps NULL to a string value that the groupname can match to. What data warehouse are you using?
Lexi Wagner
Lexi WagnerOP3mo ago
thank you for those suggestions! we will try those approaches we are just using SQL Server right now for data storage is option 1 you provided above available in production environments? or is it this feature that is not yet available in production? https://origamirisk-dev.thoughtspot.cloud/#/develop/documentation/en/?pageid=abac-user-parameters

Did you find this page helpful?