Access Policies determine which rows and columns of a Data Pool are accessible. They can have multiple rules, including row-level rules with static or dynamic values.
Creating and assigning Access Policies
Follow these steps to create an Access Policy via the Console:
- Go to the desired Data Pool.
- Open the “Access Policies” tab.
- Click “Add new policy”.
- Define column and row access controls.
- Assign Applications to the Policy.
- Name and describe the policy.
- Review and click “Create”.
- Enable Access Control on the Data Pool.
Column-level rules
Column-level rules define which specific columns of a Data Pool are accessible.
Column-level rule configuration in the Console
Column-level rule configuration in the Console
mutation {
createDataPoolAccessPolicy(input: {
uniqueName: "Column-specific Access Policy",
description: "Limits access to specific columns",
dataPool: "DPO00000000000000000000000000",
columns: ["taco_name", "taco_total_price"]
}) {
dataPoolAccessPolicy {
dataPool { id }
id
uniqueName
}
}
}
resource "propel_data_pool_access_policy" "column_specific_policy" {
unique_name = "Column-specific Access Policy"
description = "Limits access to specific columns"
data_pool = "DPO00000000000000000000000000"
columns = ["taco_name", "taco_total_price"]
applications = ["APP00000000000000000000000000"]
}
To grant access to all columns, use the wildcard "*":
Configuring access to all columns
Configuring access to all columns
mutation {
createDataPoolAccessPolicy(input: {
uniqueName: "All-columns Access Policy",
description: "Grants access to all columns",
dataPool: "DPO00000000000000000000000000",
columns: ["*"]
}) {
dataPoolAccessPolicy {
dataPool { id }
id
uniqueName
}
}
}
resource "propel_data_pool_access_policy" "all_columns_policy" {
unique_name = "All-columns Access Policy"
description = "Grants access to all columns"
data_pool = "DPO00000000000000000000000000"
columns = ["*"]
applications = ["APP00000000000000000000000000"]
}
Row-level rules
Row-level rules determine which specific rows of a Data Pool are accessible.
Row-level rule configuration
Row-level rule configuration
mutation {
createDataPoolAccessPolicy(input: {
uniqueName: "Row-level Access Policy",
description: "Limits access to a specific rows",
dataPool: "DPO00000000000000000000000000",
columns: ["*"],
filterSql: "restaurant_name = 'Farolito'"
}) {
dataPoolAccessPolicy {
dataPool { id }
id
uniqueName
}
}
}
resource "propel_data_pool_access_policy" "restaurant_specific_policy" {
unique_name = "Row-level Access Policy"
description = "Limits access to a specific rows"
data_pool = "DPO00000000000000000000000000"
columns = ["*"]
row {
column = "restaurant_name"
operator = "EQUALS"
value = "Farolito"
}
applications = ["APP00000000000000000000000000"]
}
Dynamic values row-level rules
For more flexible policies, you can use dynamic values from the JWT token in row-level rules:
Dynamic row-level rule configuration
Dynamic row-level rule configuration
mutation {
createDataPoolAccessPolicy(input: {
uniqueName: "Dynamic row-level Access Policy",
description: "Filters restaurants based on JWT token",
dataPool: "DPO00000000000000000000000000",
filterSql: "restaurant_name = ${{ restaurant_name }}"
}) {
dataPoolAccessPolicy {
dataPool { id }
id
uniqueName
}
}
}
resource "propel_data_pool_access_policy" "dynamic_restaurant_policy" {
unique_name = "Dynamic row-level Access Policy"
description = "Filters restaurants based on JWT token"
data_pool = "DPO00000000000000000000000000"
columns = ["*"]
row {
column = "restaurant_name"
operator = "EQUALS"
value = "${{ restaurant_name }}"
}
applications = ["APP00000000000000000000000000"]
}
For a deep dive into dynamic values and building multi-tenant applications, refer to our Multi-tenant JWT Tokens guide.
Assigning Access Policies to Applications
Access Policies are assigned to Applications to enforce data access controls.
Access Policy Relationships
A Data Pool can have multiple Policies, each assigned to multiple Applications. An Application can have at most one Policy per Data Pool.
Key points to remember:
- A Data Pool can have multiple Policies
- Each Policy can be assigned to multiple Applications
- An Application can have at most one Policy per Data Pool
Access Policies and Metrics
Metrics automatically inherit Access Policies from their parent Data Pool. An Application can only query a Metric if its Access Policy permits access to all columns used in that Metric’s definition.
