Useful Okera Builtin Functions

Useful Okera Builtins

These functions are useful for privacy and security and can be combined in policies with Okera's privacy functions for conditional matching. You can include these functions in the policy builder by selecting "Custom SQL" under the "Transformation type" dropdown, or by using a SQL IF statement as part of a row filter/'WHERE' condition.

This page defines the specification for Okera's custom builtin functions.

Summary

Name Function Description
Autotag autotag() Apply the autotagging rules to the given string. Useful for testing autotagging rules
Get groups get_groups() Returns the groups of the given user/group
Get roles get_roles() Returns the roles of the given user/group
Get tags get_tags() Returns the tags associated with a schema registry object
Has access has_access() Returns true if the user has access to a specified resource, else returns false
Has roles has_roles() Returns true if the user has the specified roles, else returns false

Autotag

STRING autotag(STRING)

Allows to apply the auto-tagging rules to a given string.

Added in ODAS 1.6.0.

> SELECT autotag("125.1.10.34") 
pii.ipv4

Get groups

STRING get_groups(STRING)

Returns the groups a given user is part of.

Added in ODAS 1.6.0.

> SELECT get_groups("analyst")
analyst,mktg_analyst

Get roles

STRING get_roles(STRING)

Returns the roles a given user has access to.

Added in ODAS 1.6.0.

> SELECT get_roles("analyst")
mktg_analyst_role,okera_public_role,okera_workspace_role

Get tags

STRING get_tags(STRING)

Returns the tags a given resources (such as a database or dataset) is associated with.

Added in ODAS 1.6.0.

> SELECT get_tags("customer.account_address_created");
dog.labradoodle,feline.lion

Has access

BOOLEAN has_access(STRING)

The has_access() function allows performing conditional checks. It returns true if the current user has access to the given catalog object, otherwise returns false.

Example: Using the has_access() function

```sql SELECT has_access('prod_db') -> 'True' -- If the user has access to all of prod db SELECT has_access('prod_db.sales_data') -> 'True' -- If the user has access to this table (or view)

-- To query multiple catalog objects: SELECT has_access('prod_db1,prod_db2') -> 'True' -- If the user has access to both databases. ```

Has roles

BOOLEAN has_roles(STRING)

The has_roles() function returns true when the current user is granted all of the listed roles, specified as a comma-separated list.

Example: Using the has_roles() function

```sql SELECT has_roles('dev_role'); false -- dev_role is not granted to the current user

SELECT has_roles('sales_role'); true -- sales_role is granted to the current user

SELECT has_roles('sales,role,dev_role'); false -- since dev_role is not granted to the current user ```