Using the Dimension Table to build ABAC policy conditions

In TrustLogix, dimension tables can be used to create precise and attribute-driven data access policies. These tables are typically used to represent business hierarchies, classifications, or any categorical data (e.g., territories, product types, regions) that are referred to while defining access conditions.

Prerequisites: Enabling Dimension Table Selection

Before you can use a dimension table in the Condition Builder, you must ensure that the dimension is correctly linked to a user attribute source configuration via Attribute Management.

When to Use a Dimension Table

Use dimension tables when:

You want to enforce attribute-based row-level policies.
You want to map user attributes to business values like region, business unit, or product line.
You need to evaluate policies using values that roll up into hierarchies.

Steps to Use a Dimension Table in the Condition Builder

1. Create or Edit a Policy

Navigate to the Access Policies section of your account.
Click Create Policy or choose an existing one to edit.
Create a row access policy or a column-based masking policy.

2. Add Data Conditions

Click the +Data Condition Link.

3. Select the Data Attribute

Choose the appropriate data attribute (column) from the dropdown list.

4. Define the Operator

Select the operator, such as Equals, In, etc.
Operators determine how the selected dimension value will be matched.

5. Set the Comparison Value

Choose:
- Constant Value from Attribute: Map to a user-defined attribute (e.g., gl account name) which links back to the user's metadata or entitlements.
- The mapped dimension table will be used in the policy condition.

6. Choose the values from the dimension table.

Choose the values from the model window.
If the attribute supports multiple values, you can select multiple values.
Enable multi-selection using the checkbox interface and add desired values.

7. Select additional filters on the dimension table.

Once the dimension column values are selected, click on the +Filter Conditions link.
Select the required available column name as an additional filter on the dimension table.
Select Constant value and choose an available value.
Proceed with additional filters or conditions as needed.

7. Save and Apply

Click Add or Save to apply the condition.
Build and deploy the policy.

Example Use Cases

Region-based Access: Allow only users from specific regions to access transactions.
Business Unit Segmentation: Restrict access to financial data by ROLLUP_TYPE or GL Account.
Tiered Data Access: Use hierarchy tags like "BRONZE" or "PURCHASE" to define access scopes.

Sample Policy Generate for Snowflake Datasource

CREATE OR REPLACE ROW ACCESS POLICY tlx_policy_db.tlx_row_policy.TLX_ABAC_8a48813098092d4b01980c64c0fe06b0 
AS (TLX_COUNTRY VARCHAR)
RETURNS BOOLEAN ->
CASE
    WHEN (
        IS_ROLE_IN_SESSION('DATA_ANALYST')
        AND TLX_COUNTRY IN (
            SELECT DISTINCT COMPANY_CODE
            FROM ACME_DB.MASTER_DATA.COMPANY_CODE_DIM_HIERARCHY
            WHERE 
                LEVEL_0 = 'Europe'
                AND LEVEL_1 = 'France'
                AND LEVEL_2 = 'Division B'
                AND ROLLUPTYPE = 'AVG'
                AND BUSINESS_UNIT = 'BU001'
        )
    )
    THEN TRUE
    ELSE FALSE
END

PreviousMasking Policies NextDomain Policies

Last updated 7 months ago

Was this helpful?

hashtagPrerequisites: Enabling Dimension Table Selection

hashtagWhen to Use a Dimension Table

hashtagSteps to Use a Dimension Table in the Condition Builder

hashtagExample Use Cases

Prerequisites: Enabling Dimension Table Selection

When to Use a Dimension Table

Steps to Use a Dimension Table in the Condition Builder

Example Use Cases