Understanding Redshift Objects on

Mon, 01 Jan 0001 00:00:00 +0000

External Functions

Redshift provides an External Function capability that is used to call out to a process external to Redshift. In this solution, the external service is Protegrity Redshift Protector, an AWS Lambda for re-identification operations.

Mon, 01 Jan 0001 00:00:00 +0000

Function Naming Convention

The request payload header indicates the current user context making the Protegrity operation through an SQL request. Protegrity also requires the type of operation and the security policy element name. Protegrity Serverless provides a UDF function naming convention to provide this additional context.

The function name convention requires the prefix pty, the type of operation (protect or unprotect), and the ESA policy element name. The three tokens are separated by underscores. Additional underscores are interpreted as part of the element name. (e.g. pty_protect_tok_deSSN).

Mon, 01 Jan 0001 00:00:00 +0000

Mapping File

Protegrity Serverless provides an additional method for mapping UDF function names to operations and security policy elements through a JSON mapping file. This method is recommended when either custom naming conventions are needed or element names do not conform to Redshift’s function naming validation rules. Here is an example.

The mapping file must be provided in the same S3 bucket as policy export: AWS_POLICY_S3_BUCKET

{
 "myudf_unp_city":
 {
 "Operation": "unprotect",
 "Element": "deCity”
 },
 "myudf_pro_dob": {
 "Operation": "protect",
 "Element": "deBirthdate"
 },
 ...
}

The example mapping above would cause Protegrity Serverless to perform an unprotect on the deCity security element for the requests made from the myudf_unp_city UDF function within Redshift.