diff --git a/docs/cn/guides/56-security/access-control/01-privileges.md b/docs/cn/guides/56-security/access-control/01-privileges.md index 448cd5cd6a..ae2c1a02be 100644 --- a/docs/cn/guides/56-security/access-control/01-privileges.md +++ b/docs/cn/guides/56-security/access-control/01-privileges.md @@ -108,15 +108,17 @@ Databend 提供多种权限,实现对数据库对象的细粒度控制,可 ### 所有权限 | 权限 | 对象类型 | 描述 | -|:------------------|:------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------| -| ALL | 所有 | 授予指定对象类型的全部权限。 | -| ALTER | Global, Database, Table, View | 修改数据库、表、用户或 UDF。 | -| CREATE | Global, Table | 创建表或 UDF。 | -| CREATE DATABASE | Global | 创建数据库或 UDF。 | -| CREATE WAREHOUSE | Global | 创建 Warehouse。 | -| CREATE CONNECTION | Global | 创建 Connection。 | -| CREATE SEQUENCE | Global | 创建 Sequence。 | -| CREATE PROCEDURE | PROCEDURE | 创建 Procedure。 | +|:------------------|:------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------| +| ALL | 所有 | 授予指定对象类型的全部权限。 | +| APPLY MASKING POLICY | Global, Masking Policy | 附加/解除、描述或删除脱敏策略。授予 `*.*` 时,可在整个账号范围管理所有脱敏策略。 | +| ALTER | Global, Database, Table, View | 修改数据库、表、用户或 UDF。 | +| CREATE | Global, Table | 创建表或 UDF。 | +| CREATE DATABASE | Global | 创建数据库或 UDF。 | +| CREATE WAREHOUSE | Global | 创建 Warehouse。 | +| CREATE CONNECTION | Global | 创建 Connection。 | +| CREATE SEQUENCE | Global | 创建 Sequence。 | +| CREATE PROCEDURE | PROCEDURE | 创建 Procedure。 | +| CREATE MASKING POLICY | Global | 创建脱敏策略。 | | DELETE | Table | 删除或截断表中的行。 | | DROP | Global, Database, Table, View | 删除数据库、表、View 或 UDF;恢复已删除的表。 | | INSERT | Table | 向表插入行。 | @@ -256,4 +258,13 @@ Databend 提供多种权限,实现对数据库对象的细粒度控制,可 |:-----------------|:--------------------------------------------------------------------------------------| | Access Procedure | 可访问 Procedure(如 Drop、Call、Desc)。 | | ALL | 授予指定对象类型的 Access Procedure 权限。 | -| OWNERSHIP | 授予对 Procedure 的完全控制权;在特定对象上一次只能有一个角色持有此权限。 | \ No newline at end of file +| OWNERSHIP | 授予对 Procedure 的完全控制权;在特定对象上一次只能有一个角色持有此权限。 | + +### 脱敏策略权限 + +除 `CREATE MASKING POLICY` 与 `APPLY MASKING POLICY` 全局权限外,还可以针对单个脱敏策略授予权限: + +| 权限 | 描述 | +|:------|:--------------------------------------------------------------------------------------------------------| +| APPLY | 将脱敏策略绑定/解绑到列,同时允许执行 DESC/DROP 操作。 | +| OWNERSHIP | 授予对脱敏策略的完全控制权。Databend 会在策略创建时自动将 OWNERSHIP 授予当前角色,并在策略被删除时自动回收。 | diff --git a/docs/cn/guides/56-security/masking-policy.md b/docs/cn/guides/56-security/masking-policy.md index 425e5d8f3e..4b63c623ef 100644 --- a/docs/cn/guides/56-security/masking-policy.md +++ b/docs/cn/guides/56-security/masking-policy.md @@ -81,6 +81,12 @@ SELECT * FROM user_info; - 确保用户已分配适当角色 - 角色管理请参考 [User & Role](/sql/sql-commands/ddl/user/) +### 所需权限 + +- 需要将 `CREATE MASKING POLICY`(通常授予 `*.*`)赋予负责创建或替换脱敏策略的角色。Databend 会在策略创建完成后自动将该策略的 OWNERSHIP 授予当前角色。 +- 需要将全局 `APPLY MASKING POLICY` 权限,或使用 `GRANT APPLY ON MASKING POLICY ` 为角色授予特定策略的控制权,才能在 `ALTER TABLE` 中设置/解除策略;拥有该策略的 OWNERSHIP 也可执行这些操作。 +- 通过 `SHOW GRANTS ON MASKING POLICY ` 可以审计哪些角色拥有 APPLY 或 OWNERSHIP 权限。 + ## 策略管理 有关创建、修改和管理动态脱敏策略(Masking Policy)的详细命令,请查阅: diff --git a/docs/cn/sql-reference/10-sql-commands/00-ddl/01-table/90-alter-table.md b/docs/cn/sql-reference/10-sql-commands/00-ddl/01-table/90-alter-table.md index bdfcfad930..5a3e399ce2 100644 --- a/docs/cn/sql-reference/10-sql-commands/00-ddl/01-table/90-alter-table.md +++ b/docs/cn/sql-reference/10-sql-commands/00-ddl/01-table/90-alter-table.md @@ -6,7 +6,7 @@ slug: /sql-commands/ddl/table/alter-table import FunctionDescription from '@site/src/components/FunctionDescription'; - + import EEFeature from '@site/src/components/EEFeature'; @@ -75,6 +75,7 @@ DROP [ COLUMN ] - 当声明了 `USING (...)` 时,必须至少提供被脱敏的列以及策略所需的其他列,并确保 `USING` 中的第一个标识符与正在修改的列一致。 - 只有常规表支持绑定脱敏策略;视图、流表以及临时表均无法执行 `SET MASKING POLICY`。 - 单个列最多只能附加一个安全策略(无论是列脱敏还是行级策略)。在重新绑定之前,请先移除原有策略。 +- 设置或取消设置脱敏策略需要拥有全局 `APPLY MASKING POLICY` 权限,或针对目标策略具有 APPLY/OWNERSHIP 权限,否则 `ALTER TABLE` 会被拒绝。 ::: :::caution diff --git a/docs/cn/sql-reference/10-sql-commands/00-ddl/02-user/10-grant.md b/docs/cn/sql-reference/10-sql-commands/00-ddl/02-user/10-grant.md index e53a31e8b2..b17c855f0e 100644 --- a/docs/cn/sql-reference/10-sql-commands/00-ddl/02-user/10-grant.md +++ b/docs/cn/sql-reference/10-sql-commands/00-ddl/02-user/10-grant.md @@ -5,7 +5,7 @@ sidebar_position: 9 import FunctionDescription from '@site/src/components/FunctionDescription'; - + 为特定的数据库对象授予权限、角色和所有权。包括: @@ -52,6 +52,9 @@ schemaObjectPrivileges ::= -- For UDF { USAGE } + +-- For MASKING POLICY + { CREATE MASKING POLICY | APPLY MASKING POLICY } ``` ```sql @@ -61,8 +64,24 @@ privileges_level ::= | db_name.tbl_name | STAGE | UDF + | MASKING POLICY ``` +### 授予脱敏策略权限 + +要针对某个脱敏策略授予权限,可使用以下语句: + +```sql +GRANT APPLY ON MASKING POLICY TO [ ROLE ] +GRANT ALL [ PRIVILEGES ] ON MASKING POLICY TO [ ROLE ] +GRANT OWNERSHIP ON MASKING POLICY TO ROLE '' +``` + +- `CREATE MASKING POLICY` 允许创建策略。 +- `APPLY MASKING POLICY`(全局)允许在任意表上设置/解除、描述或删除任何脱敏策略。 +- `GRANT APPLY ON MASKING POLICY ...` 可针对单个策略授权,避免授予全局访问。 +- OWNERSHIP 赋予对策略的完全控制权。创建脱敏策略后,Databend 会自动将 OWNERSHIP 授予当前角色,并在策略删除时回收。 + ### Granting Role 要了解什么是角色以及它是如何工作的,请参见 [Roles](/guides/security/access-control/roles)。 @@ -251,3 +270,19 @@ GRANT OWNERSHIP ON STAGE ingestion_stage TO ROLE 'data_owner'; -- Grant ownership of the user-defined function 'calculate_profit' to the role 'data_owner' GRANT OWNERSHIP ON UDF calculate_profit TO ROLE 'data_owner'; ``` + +### Example 5: Granting Masking Policy Privileges + +```sql +-- 授权角色创建脱敏策略 +GRANT CREATE MASKING POLICY ON *.* TO ROLE security_admin; + +-- 在 security_admin 角色下创建策略 +CREATE MASKING POLICY email_mask AS (val STRING) RETURNS STRING -> '***'; + +-- 仅允许 pii_readers 角色在表列上应用该策略 +GRANT APPLY ON MASKING POLICY email_mask TO ROLE pii_readers; + +-- 查看策略的授权情况 +SHOW GRANTS ON MASKING POLICY email_mask; +``` diff --git a/docs/cn/sql-reference/10-sql-commands/00-ddl/02-user/11-revoke.md b/docs/cn/sql-reference/10-sql-commands/00-ddl/02-user/11-revoke.md index 0f7586d29a..ec1f2895c3 100644 --- a/docs/cn/sql-reference/10-sql-commands/00-ddl/02-user/11-revoke.md +++ b/docs/cn/sql-reference/10-sql-commands/00-ddl/02-user/11-revoke.md @@ -4,7 +4,7 @@ sidebar_position: 11 --- import FunctionDescription from '@site/src/components/FunctionDescription'; - + 撤销特定数据库对象的权限、角色和所有权。 这包括: @@ -48,6 +48,9 @@ schemaObjectPrivileges ::= -- For UDF { USAGE } + +-- For MASKING POLICY + { CREATE MASKING POLICY | APPLY MASKING POLICY } ``` ```sql @@ -57,8 +60,19 @@ privileges_level ::= | db_name.tbl_name | STAGE | UDF + | MASKING POLICY +``` + +### 撤销脱敏策略权限 + +```sql +REVOKE APPLY ON MASKING POLICY FROM [ ROLE ] +REVOKE ALL [ PRIVILEGES ] ON MASKING POLICY FROM [ ROLE ] +REVOKE OWNERSHIP ON MASKING POLICY FROM ROLE '' ``` +以上语句用于撤销针对特定脱敏策略的 APPLY 或 OWNERSHIP 权限。若需撤销全局 `CREATE MASKING POLICY` 或 `APPLY MASKING POLICY`,可结合 `ON *.*` 使用标准语法。 + ### 撤销角色 ```sql @@ -159,4 +173,14 @@ SHOW GRANTS FOR user1; | GRANT ALL ON 'default'.* TO 'user1'@'%' | | GRANT ALL ON *.* TO 'user1'@'%' | +-----------------------------------------+ -``` \ No newline at end of file +``` + +### 示例 4:撤销脱敏策略权限 + +```sql +-- 撤销针对单个脱敏策略的 APPLY 权限 +REVOKE APPLY ON MASKING POLICY email_mask FROM ROLE pii_readers; + +-- 撤销角色在整个账号范围创建脱敏策略的权限 +REVOKE CREATE MASKING POLICY ON *.* FROM ROLE security_admin; +``` diff --git a/docs/cn/sql-reference/10-sql-commands/00-ddl/02-user/22-show-grants.md b/docs/cn/sql-reference/10-sql-commands/00-ddl/02-user/22-show-grants.md index 3386b80cda..c36d136952 100644 --- a/docs/cn/sql-reference/10-sql-commands/00-ddl/02-user/22-show-grants.md +++ b/docs/cn/sql-reference/10-sql-commands/00-ddl/02-user/22-show-grants.md @@ -4,7 +4,7 @@ sidebar_position: 10 --- import FunctionDescription from '@site/src/components/FunctionDescription'; - + 列出明确授予用户、角色或特定对象的权限。 @@ -24,7 +24,7 @@ SHOW GRANTS FOR [ LIKE '' | WHERE | LIMIT ] SHOW GRANTS FOR ROLE [ LIKE '' | WHERE | LIMIT ] -- 列出授予对象的权限 -SHOW GRANTS ON { STAGE | TABLE | DATABASE | UDF } [ LIKE '' | WHERE | LIMIT ] +SHOW GRANTS ON { STAGE | TABLE | DATABASE | UDF | MASKING POLICY } [ LIKE '' | WHERE | LIMIT ] -- 列出所有已直接授予 role_name 的用户和角色。 SHOW GRANTS OF ROLE @@ -89,4 +89,7 @@ SHOW GRANTS OF ROLE analyst │ analyst │ USER │ user1 │ ╰─────────────────────────────────────╯ -``` \ No newline at end of file + +-- 查看脱敏策略的授权 +SHOW GRANTS ON MASKING POLICY email_mask; +``` diff --git a/docs/cn/sql-reference/10-sql-commands/00-ddl/12-mask-policy/create-mask-policy.md b/docs/cn/sql-reference/10-sql-commands/00-ddl/12-mask-policy/create-mask-policy.md index 91b0f21b5e..bc2604e136 100644 --- a/docs/cn/sql-reference/10-sql-commands/00-ddl/12-mask-policy/create-mask-policy.md +++ b/docs/cn/sql-reference/10-sql-commands/00-ddl/12-mask-policy/create-mask-policy.md @@ -5,7 +5,7 @@ sidebar_position: 1 import FunctionDescription from '@site/src/components/FunctionDescription'; - + import EEFeature from '@site/src/components/EEFeature'; @@ -36,6 +36,14 @@ CREATE [ OR REPLACE ] MASKING POLICY [ IF NOT EXISTS ] AS 确保 *arg_type_to_mask* 与将应用脱敏策略的列的数据类型匹配。当策略包含多个参数时,必须在 `ALTER TABLE ... SET MASKING POLICY` 的 `USING` 子句中按相同顺序列出对应列。 ::: +## 访问控制要求 + +| 权限 | 描述 | +|:-----|:-----| +| CREATE MASKING POLICY | 创建或替换脱敏策略时所需的权限(通常授予 `*.*`)。 | + +策略创建成功后,Databend 会自动将该策略的 OWNERSHIP 授予当前角色,方便与其他角色协同管理该策略。 + ## 示例 此示例演示了如何结合 `USING` 子句引用额外列,根据用户角色或其他列的值选择性地显示或脱敏敏感数据。 diff --git a/docs/cn/sql-reference/10-sql-commands/00-ddl/12-mask-policy/desc-mask-policy.md b/docs/cn/sql-reference/10-sql-commands/00-ddl/12-mask-policy/desc-mask-policy.md index 93ac988c9a..3daa68a29a 100644 --- a/docs/cn/sql-reference/10-sql-commands/00-ddl/12-mask-policy/desc-mask-policy.md +++ b/docs/cn/sql-reference/10-sql-commands/00-ddl/12-mask-policy/desc-mask-policy.md @@ -5,7 +5,7 @@ sidebar_position: 2 import FunctionDescription from '@site/src/components/FunctionDescription'; - + import EEFeature from '@site/src/components/EEFeature'; @@ -19,6 +19,14 @@ import EEFeature from '@site/src/components/EEFeature'; DESC MASKING POLICY ``` +## 访问控制要求 + +| 权限 | 描述 | +|:-----|:-----| +| APPLY MASKING POLICY | 描述脱敏策略时需要具备的权限;拥有该策略的 OWNERSHIP 亦可满足要求。 | + +只要具备全局 `APPLY MASKING POLICY` 权限,或对指定策略拥有 APPLY/OWNERSHIP,即可查看策略定义。 + ## 示例 ```sql @@ -44,4 +52,4 @@ Signature |(val STRING) Return Type|STRING | Body |CASE WHEN current_role() IN('MANAGERS') THEN VAL ELSE '*********' END| Comment |hide_email | -``` \ No newline at end of file +``` diff --git a/docs/cn/sql-reference/10-sql-commands/00-ddl/12-mask-policy/drop-mask-policy.md b/docs/cn/sql-reference/10-sql-commands/00-ddl/12-mask-policy/drop-mask-policy.md index 01da39e016..cf977d8539 100644 --- a/docs/cn/sql-reference/10-sql-commands/00-ddl/12-mask-policy/drop-mask-policy.md +++ b/docs/cn/sql-reference/10-sql-commands/00-ddl/12-mask-policy/drop-mask-policy.md @@ -5,7 +5,7 @@ sidebar_position: 3 import FunctionDescription from '@site/src/components/FunctionDescription'; - + import EEFeature from '@site/src/components/EEFeature'; @@ -19,6 +19,14 @@ import EEFeature from '@site/src/components/EEFeature'; DROP MASKING POLICY [ IF EXISTS ] ``` +## 访问控制要求 + +| 权限 | 描述 | +|:-----|:-----| +| APPLY MASKING POLICY | 删除脱敏策略时需要具备的权限;如果拥有该策略的 OWNERSHIP 也可以删除。 | + +需要全局 `APPLY MASKING POLICY` 权限,或对目标策略拥有 APPLY/OWNERSHIP。策略删除后,Databend 会自动回收之前授予的 OWNERSHIP。 + ## 示例 ```sql @@ -35,4 +43,4 @@ AS COMMENT = 'hide_email'; DROP MASKING POLICY email_mask; -``` \ No newline at end of file +``` diff --git a/docs/en/guides/56-security/access-control/01-privileges.md b/docs/en/guides/56-security/access-control/01-privileges.md index 16b798746b..b4e342d2a1 100644 --- a/docs/en/guides/56-security/access-control/01-privileges.md +++ b/docs/en/guides/56-security/access-control/01-privileges.md @@ -110,6 +110,7 @@ Databend offers a range of privileges that allow you to exercise fine-grained co | Privilege | Object Type | Description | |:------------------|:------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------| | ALL | All | Grants all the privileges for the specified object type. | +| APPLY MASKING POLICY | Global, Masking Policy | Attaches, detaches, describes, or drops masking policies. When granted on *.*, the grantee can manage any masking policy. | | ALTER | Global, Database, Table, View | Alters a database, table, user or UDF. | | CREATE | Global, Table | Creates a table or UDF. | | CREATE DATABASE | Global | Creates a database or UDF. | @@ -117,6 +118,7 @@ Databend offers a range of privileges that allow you to exercise fine-grained co | CREATE CONNECTION | Global | Creates a connection. | | CREATE SEQUENCE | Global | Creates a sequence. | | CREATE PROCEDURE | PROCEDURE | Creates a procedure. | +| CREATE MASKING POLICY | Global | Creates a masking policy. | | DELETE | Table | Deletes or truncates rows in a table. | | DROP | Global, Database, Table, View | Drops a database, table, view or UDF. Undrops a table. | | INSERT | Table | Inserts rows into a table. | @@ -259,3 +261,11 @@ Please note that you can use the [USE DATABASE](/sql/sql-commands/ddl/database/d | ALL | Grants Access Procedure privileges for the specified object type. | | OWNERSHIP | Grants full control over a Procedure. Only a single role can hold this privilege on a specific object at a time. | +### Masking Policy Privileges + +In addition to the global `CREATE MASKING POLICY` and `APPLY MASKING POLICY` privileges, you can grant access to individual masking policies: + +| Privilege | Description | +|:----------|:--------------------------------------------------------------------------------------------------------------------------------------| +| APPLY | Attaches or detaches the masking policy from columns, and allows DESC/DROP operations on the policy. | +| OWNERSHIP | Grants full control over a masking policy. Databend grants OWNERSHIP to the role that creates the policy and revokes it automatically when the policy is dropped. | diff --git a/docs/en/guides/56-security/masking-policy.md b/docs/en/guides/56-security/masking-policy.md index 7fb02b445e..7e4ae9df06 100644 --- a/docs/en/guides/56-security/masking-policy.md +++ b/docs/en/guides/56-security/masking-policy.md @@ -81,6 +81,12 @@ SELECT * FROM user_info; - Ensure users have appropriate roles assigned - See [User & Role](/sql/sql-commands/ddl/user/) for role management +### Required Privileges + +- Grant `CREATE MASKING POLICY` on `*.*` to any role that needs to create or replace masking policies. Databend automatically grants OWNERSHIP on a newly created policy to the current role. +- Grant either the global `APPLY MASKING POLICY` privilege or `APPLY ON MASKING POLICY ` to roles that attach/detach policies using `ALTER TABLE`. OWNERSHIP on the policy also allows these operations. +- Use `SHOW GRANTS ON MASKING POLICY ` to audit which roles can apply or own a specific policy. + ## Policy Management For detailed commands to create, modify, and manage masking policies, see: diff --git a/docs/en/sql-reference/10-sql-commands/00-ddl/01-table/90-alter-table.md b/docs/en/sql-reference/10-sql-commands/00-ddl/01-table/90-alter-table.md index 6bbed397db..7b3a8b9a7f 100644 --- a/docs/en/sql-reference/10-sql-commands/00-ddl/01-table/90-alter-table.md +++ b/docs/en/sql-reference/10-sql-commands/00-ddl/01-table/90-alter-table.md @@ -6,7 +6,7 @@ slug: /sql-commands/ddl/table/alter-table import FunctionDescription from '@site/src/components/FunctionDescription'; - + import EEFeature from '@site/src/components/EEFeature'; @@ -75,6 +75,7 @@ DROP [ COLUMN ] - If you include `USING`, provide at least the masked column plus any additional columns needed by the policy. The first identifier in `USING (...)` must match the column being modified. - Masking policies can only be attached to regular tables. Views, streams, and temporary tables do not allow `SET MASKING POLICY`. - A column can belong to at most one security policy (masking or row-level). Remove the existing policy before attaching a new one. +- Attaching, detaching, describing, or dropping a masking policy requires the global `APPLY MASKING POLICY` privilege or APPLY/OWNERSHIP on the specific masking policy. ::: :::caution diff --git a/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/10-grant.md b/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/10-grant.md index cbbea6d08a..5453fc4276 100644 --- a/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/10-grant.md +++ b/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/10-grant.md @@ -4,7 +4,7 @@ sidebar_position: 9 --- import FunctionDescription from '@site/src/components/FunctionDescription'; - + Grants privileges, roles, and ownership for a specific database object. This includes: @@ -51,6 +51,9 @@ schemaObjectPrivileges ::= -- For UDF { USAGE } + +-- For MASKING POLICY (account-level privileges) + { CREATE MASKING POLICY | APPLY MASKING POLICY } ``` ```sql @@ -60,8 +63,24 @@ privileges_level ::= | db_name.tbl_name | STAGE | UDF + | MASKING POLICY +``` + +### Granting Masking Policy Privileges + +Use the following forms to manage access to individual masking policies: + +```sql +GRANT APPLY ON MASKING POLICY TO [ ROLE ] +GRANT ALL [ PRIVILEGES ] ON MASKING POLICY TO [ ROLE ] +GRANT OWNERSHIP ON MASKING POLICY TO ROLE '' ``` +- `CREATE MASKING POLICY` allows a user or role to create new masking policies. +- `APPLY MASKING POLICY` lets grantees attach, detach, describe, or drop any masking policy when combined with the appropriate `ALTER TABLE` or policy commands. +- `GRANT APPLY ON MASKING POLICY ...` authorizes the grantee to manage a specific masking policy without granting global access. +- OWNERSHIP provides full control over the masking policy; Databend automatically grants OWNERSHIP on a new policy to the creator role and revokes it when the policy is dropped. + ### Granting Role To understand what a role is and how it works, see [Roles](/guides/security/access-control/roles). @@ -239,4 +258,20 @@ GRANT OWNERSHIP ON STAGE ingestion_stage TO ROLE 'data_owner'; -- Grant ownership of the user-defined function 'calculate_profit' to the role 'data_owner' GRANT OWNERSHIP ON UDF calculate_profit TO ROLE 'data_owner'; -``` \ No newline at end of file +``` + +### Example 5: Granting Masking Policy Privileges + +```sql +-- Allow the current user to create masking policies +GRANT CREATE MASKING POLICY ON *.* TO ROLE security_admin; + +-- Create a masking policy while assuming the security_admin role +CREATE MASKING POLICY email_mask AS (val STRING) RETURNS STRING -> '***'; + +-- Grant a role the ability to apply the policy when altering tables +GRANT APPLY ON MASKING POLICY email_mask TO ROLE pii_readers; + +-- Review the masking policy privileges +SHOW GRANTS ON MASKING POLICY email_mask; +``` diff --git a/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/11-revoke.md b/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/11-revoke.md index 6774da6219..fb9fd5de6f 100644 --- a/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/11-revoke.md +++ b/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/11-revoke.md @@ -4,7 +4,7 @@ sidebar_position: 11 --- import FunctionDescription from '@site/src/components/FunctionDescription'; - + Revokes privileges, roles, and ownership of a specific database object. This includes: @@ -48,6 +48,9 @@ schemaObjectPrivileges ::= -- For UDF { USAGE } + +-- For MASKING POLICY (account-level privileges) + { CREATE MASKING POLICY | APPLY MASKING POLICY } ``` ```sql @@ -57,8 +60,19 @@ privileges_level ::= | db_name.tbl_name | STAGE | UDF + | MASKING POLICY +``` + +### Revoking Masking Policy Privileges + +```sql +REVOKE APPLY ON MASKING POLICY FROM [ ROLE ] +REVOKE ALL [ PRIVILEGES ] ON MASKING POLICY FROM [ ROLE ] +REVOKE OWNERSHIP ON MASKING POLICY FROM ROLE '' ``` +Use these forms to remove access to individual masking policies. Global `CREATE MASKING POLICY` and `APPLY MASKING POLICY` privileges are revoked using the standard syntax with `ON *.*`. + ### Revoking Role ```sql @@ -159,4 +173,14 @@ SHOW GRANTS FOR user1; | GRANT ALL ON 'default'.* TO 'user1'@'%' | | GRANT ALL ON *.* TO 'user1'@'%' | +-----------------------------------------+ -``` \ No newline at end of file +``` + +### Example 4: Revoking Masking Policy Privileges + +```sql +-- Remove per-policy access from a role +REVOKE APPLY ON MASKING POLICY email_mask FROM ROLE pii_readers; + +-- Revoke the ability to create masking policies at the account level +REVOKE CREATE MASKING POLICY ON *.* FROM ROLE security_admin; +``` diff --git a/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/22-show-grants.md b/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/22-show-grants.md index 958e1a6244..8c09ba4593 100644 --- a/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/22-show-grants.md +++ b/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/22-show-grants.md @@ -4,7 +4,7 @@ sidebar_position: 10 --- import FunctionDescription from '@site/src/components/FunctionDescription'; - + Lists privileges explicitly granted to a user, to a role, or on a specific object. @@ -24,7 +24,7 @@ SHOW GRANTS FOR [ LIKE '' | WHERE | LIMIT ] SHOW GRANTS FOR ROLE [ LIKE '' | WHERE | LIMIT ] -- List privileges granted on an object -SHOW GRANTS ON { STAGE | TABLE | DATABASE | UDF } [ LIKE '' | WHERE | LIMIT ] +SHOW GRANTS ON { STAGE | TABLE | DATABASE | UDF | MASKING POLICY } [ LIKE '' | WHERE | LIMIT ] -- Lists all users and roles that have been directly granted role_name. SHOW GRANTS OF ROLE @@ -89,4 +89,6 @@ SHOW GRANTS OF ROLE analyst │ analyst │ USER │ user1 │ ╰─────────────────────────────────────╯ -``` \ No newline at end of file +-- Inspect masking policy privileges +SHOW GRANTS ON MASKING POLICY email_mask; +``` diff --git a/docs/en/sql-reference/10-sql-commands/00-ddl/12-mask-policy/create-mask-policy.md b/docs/en/sql-reference/10-sql-commands/00-ddl/12-mask-policy/create-mask-policy.md index 16664dce8d..4ca5df805c 100644 --- a/docs/en/sql-reference/10-sql-commands/00-ddl/12-mask-policy/create-mask-policy.md +++ b/docs/en/sql-reference/10-sql-commands/00-ddl/12-mask-policy/create-mask-policy.md @@ -5,7 +5,7 @@ sidebar_position: 1 import FunctionDescription from '@site/src/components/FunctionDescription'; - + import EEFeature from '@site/src/components/EEFeature'; @@ -36,6 +36,14 @@ CREATE [ OR REPLACE ] MASKING POLICY [ IF NOT EXISTS ] AS Ensure that *arg_type_to_mask* matches the data type of the column where the masking policy will be applied. When your policy defines multiple parameters, list each referenced column in the same order within the `USING` clause of `ALTER TABLE ... SET MASKING POLICY`. ::: +## Access Control Requirements + +| Privilege | Description | +|:----------|:------------| +| CREATE MASKING POLICY | Required to create or replace a masking policy. Typically granted on `*.*`. | + +Databend automatically grants OWNERSHIP on the new masking policy to the current role so that it can manage the policy with others. + ## Examples This example illustrates the process of setting up a masking policy to selectively reveal or mask sensitive data based on user roles. diff --git a/docs/en/sql-reference/10-sql-commands/00-ddl/12-mask-policy/desc-mask-policy.md b/docs/en/sql-reference/10-sql-commands/00-ddl/12-mask-policy/desc-mask-policy.md index bc97d31a5b..283e0ce027 100644 --- a/docs/en/sql-reference/10-sql-commands/00-ddl/12-mask-policy/desc-mask-policy.md +++ b/docs/en/sql-reference/10-sql-commands/00-ddl/12-mask-policy/desc-mask-policy.md @@ -5,7 +5,7 @@ sidebar_position: 2 import FunctionDescription from '@site/src/components/FunctionDescription'; - + import EEFeature from '@site/src/components/EEFeature'; @@ -19,6 +19,14 @@ Displays detailed information about a specific masking policy in Databend. DESC MASKING POLICY ``` +## Access Control Requirements + +| Privilege | Description | +|:----------|:------------| +| APPLY MASKING POLICY | Required to describe a masking policy unless you own that policy. | + +Either the global `APPLY MASKING POLICY` privilege or APPLY/OWNERSHIP on the specific masking policy satisfies this requirement. + ## Examples ```sql @@ -44,4 +52,4 @@ Signature |(val STRING) Return Type|STRING | Body |CASE WHEN current_role() IN('MANAGERS') THEN VAL ELSE '*********' END| Comment |hide_email | -``` \ No newline at end of file +``` diff --git a/docs/en/sql-reference/10-sql-commands/00-ddl/12-mask-policy/drop-mask-policy.md b/docs/en/sql-reference/10-sql-commands/00-ddl/12-mask-policy/drop-mask-policy.md index b9cb309710..df406a91a0 100644 --- a/docs/en/sql-reference/10-sql-commands/00-ddl/12-mask-policy/drop-mask-policy.md +++ b/docs/en/sql-reference/10-sql-commands/00-ddl/12-mask-policy/drop-mask-policy.md @@ -5,7 +5,7 @@ sidebar_position: 3 import FunctionDescription from '@site/src/components/FunctionDescription'; - + import EEFeature from '@site/src/components/EEFeature'; @@ -19,6 +19,14 @@ Deletes an existing masking policy from Databend. When you drop a masking policy DROP MASKING POLICY [ IF EXISTS ] ``` +## Access Control Requirements + +| Privilege | Description | +|:----------|:------------| +| APPLY MASKING POLICY | Required to drop a masking policy unless you own that policy. | + +You must have the global `APPLY MASKING POLICY` privilege or APPLY/OWNERSHIP on the target policy. Databend automatically revokes OWNERSHIP from the creator role after the policy is dropped. + ## Examples ```sql @@ -35,4 +43,4 @@ AS COMMENT = 'hide_email'; DROP MASKING POLICY email_mask; -``` \ No newline at end of file +```