Can I hook into the IRIS SQL compiler to inject dynamic policies (e.g., tenant filtering, row masking)?
We require automatic injection of security predicates at runtime, depending on the user or API token. Is there a supported or hackable mechanism to manipulate SQL parsing/compilation before execution?
Comments
No.
You can filter results based on the row level security policy Row-Level Security https://docs.intersystems.com/iris20252/csp/docbook/Doc.View.cls?KEY=GOBJ_persother_rls#GOBJ_persother_rlssetup
You can also grant access to specific columns in tables to particular roles, and then grant these roles to a particular user https://docs.intersystems.com/iris20252/csp/docbook/Doc.View.cls?KEY=RSQL_grant#RSQL_grant_synopsis
I think @Alexander Koblov actually meant "Yes" :-), as row-level security was indeed designed for exactly this purpose, to inject additional filters into queries based on their credentials.