This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Understanding Redshift Objects

Key concepts in understanding the Protegrity Cloud Protect with Redshift.
  • 1:
  • 2:
  • 3:

External Functions

Redshift provides an External Function capability that is used to call out to a process external to Redshift. In this solution, the external service is Protegrity Redshift Protector, an AWS Lambda for re-identification operations.

Function Naming Convention

The request payload header indicates the current user context making the Protegrity operation through an SQL request. Protegrity also requires the type of operation and the security policy element name. Protegrity Serverless provides a UDF function naming convention to provide this additional context.

The function name convention requires the prefix pty, the type of operation (protect or unprotect), and the ESA policy element name. The three tokens are separated by underscores. Additional underscores are interpreted as part of the element name. (e.g. pty_protect_tok_deSSN).

The UDF naming convention is as follows.

TokenDescriptionValid Options
PrefixRequired to indicate this methodpty
operationType of operationprotect, unprotect
Element nameESA element nameValid ESA element name (can contain additional underscores)

For example, the following UDF will perform an unprotect using the alpha element policy.

CREATE OR REPLACE EXTERNAL FUNCTION pty_unprotect_alpha(varchar)
RETURNS varchar VOLATILE lambda '<replace_with_protect_function_name>:Production' iam_role 'arn:aws:iam::<you-aws-account-number>:role/<role-name>'

Mapping File

Protegrity Serverless provides an additional method for mapping UDF function names to operations and security policy elements through a JSON mapping file. This method is recommended when either custom naming conventions are needed or element names do not conform to Redshift’s function naming validation rules. Here is an example.

The mapping file must be provided in the same S3 bucket as policy export: AWS_POLICY_S3_BUCKET

{
  "myudf_unp_city":
    {
      "Operation": "unprotect",
      "Element": "deCity”
    },
  "myudf_pro_dob": {
      "Operation": "protect",
      "Element": "deBirthdate"
    },
    ...
}

The example mapping above would cause Protegrity Serverless to perform an unprotect on the deCity security element for the requests made from the myudf_unp_city UDF function within Redshift.

1 -

External Functions

Redshift provides an External Function capability that is used to call out to a process external to Redshift. In this solution, the external service is Protegrity Redshift Protector, an AWS Lambda for re-identification operations.

2 -

Function Naming Convention

The request payload header indicates the current user context making the Protegrity operation through an SQL request. Protegrity also requires the type of operation and the security policy element name. Protegrity Serverless provides a UDF function naming convention to provide this additional context.

The function name convention requires the prefix pty, the type of operation (protect or unprotect), and the ESA policy element name. The three tokens are separated by underscores. Additional underscores are interpreted as part of the element name. (e.g. pty_protect_tok_deSSN).

The UDF naming convention is as follows.

TokenDescriptionValid Options
PrefixRequired to indicate this methodpty
operationType of operationprotect, unprotect
Element nameESA element nameValid ESA element name (can contain additional underscores)

For example, the following UDF will perform an unprotect using the alpha element policy.

CREATE OR REPLACE EXTERNAL FUNCTION pty_unprotect_alpha(varchar)
RETURNS varchar VOLATILE lambda '<replace_with_protect_function_name>:Production' iam_role 'arn:aws:iam::<you-aws-account-number>:role/<role-name>'

3 -

Mapping File

Protegrity Serverless provides an additional method for mapping UDF function names to operations and security policy elements through a JSON mapping file. This method is recommended when either custom naming conventions are needed or element names do not conform to Redshift’s function naming validation rules. Here is an example.

The mapping file must be provided in the same S3 bucket as policy export: AWS_POLICY_S3_BUCKET

{
  "myudf_unp_city":
    {
      "Operation": "unprotect",
      "Element": "deCity”
    },
  "myudf_pro_dob": {
      "Operation": "protect",
      "Element": "deBirthdate"
    },
    ...
}

The example mapping above would cause Protegrity Serverless to perform an unprotect on the deCity security element for the requests made from the myudf_unp_city UDF function within Redshift.