search

Policy enforcement decision logic

Basic enforcement decision logic

Policy decision relies heavily on explicit ALLOW policies. When a request comes in, the policy decision engine evaluates the applicable rules and allows the request only if both of the following conditions are met:

    There is no explicit DENY policy for the request.There is at least 1 ALLOW policy that matches the request for the resource.

policy_evaluation

Redaction logic

When enforcing REDACTION policies, an interaction occurs between all of the following:

    The default REDACTION format defined as part of the vault schemaThe REDACTION policy set as part of governing access to the vault The REDACTION parameter set in the access request

This interaction and the resulting REDACTION decision is captured in the following table.

Permission granted on a column through vault governance

Default column redaction behavior defined at the schema level

Column redaction policy defined through vault governance

Requested redaction behavior in the API/SQL call

Policy Decision

Observed redaction behavior in the output

ALLOW READ

REDACTED

PLAIN_TEXT

PLAIN_TEXT

ALLOW

PLAIN_TEXT

ALLOW READ

REDACTED

PLAIN_TEXT

REDACTED

ALLOW

REDACTED

ALLOW READ

REDACTED

PLAIN_TEXT

DEFAULT

ALLOW

REDACTED

ALLOW READ

REDACTED

PLAIN_TEXT

MASKED

ALLOW

MASK

ALLOW READ

PLAIN_TEXT

REDACTED

DEFAULT

DENY

ALLOW READ

PLAIN_TEXT

REDACTED

PLAIN_TEXT

DENY

ALLOW READ

REDACTED

PLAIN_TEXT

REDACTED

ALLOW

REDACTED

ALLOW READ

REDACTED

DEFAULT

ALLOW

REDACTED

ALLOW READ

REDACTED

REDACTED

ALLOW

REDACTED

ALLOW READ

PLAIN_TEXT

REDACTED

ALLOW

REDACTED

In this article