Apply fine-grained entry and transformation on the SUPER knowledge sort in Amazon Redshift

Amazon Redshift is a quick, scalable, safe, and totally managed cloud knowledge warehouse that makes it easy and cost-effective to investigate all of your knowledge utilizing customary SQL and your present ETL (extract, remodel, and cargo), enterprise intelligence (BI), and reporting instruments. Tens of hundreds of shoppers use Amazon Redshift to course of exabytes of information per day and energy analytics workloads equivalent to BI, predictive analytics, and real-time streaming analytics.

Amazon Redshift, a cloud knowledge warehouse service, helps attaching dynamic knowledge masking (DDM) insurance policies to paths of SUPER knowledge sort columns, and makes use of the OBJECT_TRANSFORM operate with the SUPER knowledge sort. SUPER knowledge sort columns in Amazon Redshift comprise semi-structured knowledge like JSON paperwork. Beforehand, knowledge masking in Amazon Redshift solely labored with common desk columns, however now you’ll be able to apply masking insurance policies particularly to components inside SUPER columns. For instance, you can apply a masking coverage to masks delicate fields like bank card numbers inside JSON paperwork saved in a SUPER column. This permits for extra granular management over knowledge masking in Amazon Redshift. Amazon Redshift offers you extra flexibility in the way you apply knowledge masking to guard delicate info saved in SUPER columns containing semi-structured knowledge.

With DDM assist in Amazon Redshift, you are able to do the next:

• Outline masking insurance policies that apply customized obfuscation insurance policies, equivalent to masking insurance policies to deal with bank card, personally identifiable info (PII) entries, HIPAA or GDPR wants, and extra
• Rework the info at question time to use masking insurance policies
• Connect masking insurance policies to roles or customers
• Connect a number of masking insurance policies with various ranges of obfuscation to the identical column in a desk and assign them to completely different roles with priorities to keep away from conflicts
• Implement cell-level masking by utilizing conditional columns when creating your masking coverage
• Use masking insurance policies to partially or fully redact knowledge, or hash it by utilizing user-defined features (UDFs)

On this put up, we exhibit how a retail firm can management the entry of PII knowledge saved within the SUPER knowledge sort to customers primarily based on their entry privilege with out duplicating the info.

Answer overview

For our use case, we’ve got the next knowledge entry necessities:

• Customers from the Buyer Service crew ought to be capable to view the order knowledge however not PII info
• Customers from the Gross sales crew ought to be capable to view buyer IDs and all order info
• Customers from the Government crew ought to be capable to view all the info
• Workers shouldn’t be capable of view any knowledge

The next diagram illustrates how DDM assist in Amazon Redshift insurance policies works with roles and customers for our retail use case.

The answer encompasses creating masking insurance policies with various masking guidelines and attaching a number of to the identical position and desk with an assigned precedence to take away potential conflicts. These insurance policies might pseudonymize outcomes or selectively nullify outcomes to adjust to retailers’ safety necessities. We consult with a number of masking insurance policies being connected to a desk as a multi-modal masking coverage. A multi-modal masking coverage consists of three elements:

• A knowledge masking coverage that defines the info obfuscation guidelines
• Roles with completely different entry ranges relying on the enterprise case
• The flexibility to connect a number of masking insurance policies on a consumer or position and desk mixture with precedence for battle decision

Conditions

To implement this answer, you want the next stipulations:

Put together the info

To arrange our use case, full the next steps:

1. On the Amazon Redshift console, select Question editor v2 underneath Explorer within the navigation pane.

If you happen to’re conversant in SQL Notebooks, you’ll be able to obtain the SQL pocket book for the demonstration and import it to shortly get began.

2. Create the desk and populate contents:

   -- 1- Create the orders desk
   drop desk if exists public.order_transaction;
   create desk public.order_transaction (
    data_json tremendous
   );
   
   -- 2- Populate the desk with pattern values
   INSERT INTO public.order_transaction
   VALUES
       (
           json_parse('
           
           "c_custkey": 328558,
           "c_name": "Buyer#000328558",
           "c_phone": "586-436-7415",
           "c_creditcard": "4596209611290987",
           "orders":
             "o_orderkey": 8014018,
             "o_orderstatus": "F",
             "o_totalprice": 120857.71,
             "o_orderdate": "2024-01-01"
             
           '
           )
       ),
       (
           json_parse('
           
           "c_custkey": 328559,
           "c_name": "Buyer#000328559",
           "c_phone": "789-232-7421",
           "c_creditcard": "8709000219329924",
           "orders":
             "o_orderkey": 8014019,
             "o_orderstatus": "S",
             "o_totalprice": 9015.98,
             "o_orderdate": "2024-01-01"
             
           '
           )
       ),
       (
           json_parse('
           
           "c_custkey": 328560,
           "c_name": "Buyer#000328560",
           "c_phone": "276-564-9023",
           "c_creditcard": "8765994378650090",
           "orders":
             "o_orderkey": 8014020,
             "o_orderstatus": "C",
             "o_totalprice": 18765.56,
             "o_orderdate": "2024-01-01"
             
           
           ')
       );

Implement the answer

To fulfill the safety necessities, we have to be sure that every consumer sees the identical knowledge in several methods primarily based on their granted privileges. To try this, we use consumer roles mixed with masking insurance policies as follows:

1. Create customers and roles, and add customers to their respective roles:

   --create 4 customers
   set session authorization admin;
   CREATE USER Kate_cust WITH PASSWORD disable;
   CREATE USER Ken_sales WITH PASSWORD disable;
   CREATE USER Bob_exec WITH PASSWORD disable;
   CREATE USER Jane_staff WITH PASSWORD disable;
   
   -- 1. Create Consumer Roles
   CREATE ROLE cust_srvc_role;
   CREATE ROLE sales_srvc_role;
   CREATE ROLE executives_role;
   CREATE ROLE staff_role;
   
   -- be aware that public position exists by default.
   -- Grant Roles to Customers
   GRANT ROLE cust_srvc_role to Kate_cust;
   GRANT ROLE sales_srvc_role to Ken_sales;
   GRANT ROLE executives_role to Bob_exec;
   GRANT ROLE staff_role to Jane_staff;
   
   -- be aware that regualr_user is connected to public position by default.
   GRANT ALL ON ALL TABLES IN SCHEMA "public" TO ROLE cust_srvc_role;
   GRANT ALL ON ALL TABLES IN SCHEMA "public" TO ROLE sales_srvc_role;
   GRANT ALL ON ALL TABLES IN SCHEMA "public" TO ROLE executives_role;
   GRANT ALL ON ALL TABLES IN SCHEMA "public" TO ROLE staff_role;

2. Create masking insurance policies:

   -- Masks Full Knowledge
   CREATE MASKING POLICY mask_full
   WITH(pii_data VARCHAR(256))
   USING ('000000XXXX0000'::TEXT);
   
   -- This coverage rounds down the given value to the closest 10.
   CREATE MASKING POLICY mask_price
   WITH(value INT)
   USING ( (FLOOR(value::FLOAT / 10) * 10)::INT );
   
   -- This coverage converts the primary 12 digits of the given bank card to 'XXXXXXXXXXXX'.
   CREATE MASKING POLICY mask_credit_card
   WITH(credit_card TEXT)
   USING ( 'XXXXXXXXXXXX'::TEXT || SUBSTRING(credit_card::TEXT FROM 13 FOR 4) );
   
   -- This coverage masks the given date
   CREATE MASKING POLICY mask_date
   WITH(order_date TEXT)
   USING ( 'XXXX-XX-XX'::TEXT);
   
   -- This coverage masks the given telephone quantity
   CREATE MASKING POLICY mask_phone
   WITH(phone_number TEXT)
   USING ( 'XXX-XXX-'::TEXT || SUBSTRING(phone_number::TEXT FROM 9 FOR 4) );

3. Connect the masking insurance policies:
   • Connect the masking coverage for the customer support use case:

     --customer_support (can't see buyer PHI/PII knowledge however can see the order id , order particulars and standing and so forth.)
     
     set session authorization admin;
     
     ATTACH MASKING POLICY mask_full
     ON public.order_transaction(data_json.c_custkey)
     TO ROLE cust_srvc_role;
     
     ATTACH MASKING POLICY mask_phone
     ON public.order_transaction(data_json.c_phone)
     TO ROLE cust_srvc_role;
     
     ATTACH MASKING POLICY mask_credit_card
     ON public.order_transaction(data_json.c_creditcard)
     TO ROLE cust_srvc_role;
     
     ATTACH MASKING POLICY mask_price
     ON public.order_transaction(data_json.orders.o_totalprice)
     TO ROLE cust_srvc_role;
     
     ATTACH MASKING POLICY mask_date
     ON public.order_transaction(data_json.orders.o_orderdate)
     TO ROLE cust_srvc_role;

   • Connect the masking coverage for the gross sales use case:

     --sales —> can see the client ID (non phi knowledge) and all order information
     
     set session authorization admin;
     
     ATTACH MASKING POLICY mask_phone
     ON public.order_transaction(data_json.buyer.c_phone)
     TO ROLE sales_srvc_role;

   • Connect the masking coverage for the employees use case:

     --Workers — > can't see any knowledge concerning the order. all columns masked for them ( we will hand choose some columns) to indicate the performance
     
     set session authorization admin;
     
     ATTACH MASKING POLICY mask_full
     ON public.order_transaction(data_json.orders.o_orderkey)
     TO ROLE staff_role;
     
     ATTACH MASKING POLICY mask_pii_full
     ON public.order_transaction(data_json.orders.o_orderstatus)
     TO ROLE staff_role;
     
     ATTACH MASKING POLICY mask_pii_price
     ON public.order_transaction(data_json.orders.o_totalprice)
     TO ROLE staff_role;
     
     ATTACH MASKING POLICY mask_date
     ON public.order_transaction(data_json.orders.o_orderdate)
     TO ROLE staff_role;

Take a look at the answer

Let’s verify that the masking insurance policies are created and connected.

1. Test that the masking insurance policies are created with the next code:

   -- 1.1- Verify the masking insurance policies are created
   SELECT * FROM svv_masking_policy;

   

2. Test that the masking insurance policies are connected:

   -- 1.2- Confirm connected masking coverage on desk/column to consumer/position.
   SELECT * FROM svv_attached_masking_policy;

   

Now you’ll be able to take a look at that completely different customers can see the identical knowledge masked otherwise primarily based on their roles.

3. Take a look at that the client assist can’t see buyer PHI/PII knowledge however can see the order ID, order particulars, and standing:

   set session authorization Kate_cust;
   choose * from order_transaction;

   

4. Take a look at that the gross sales crew can see the client ID (non PII knowledge) and all order info:

   set session authorization Ken_sales;
   choose * from order_transaction;

   

5. Take a look at that the executives can see all knowledge:

   set session authorization Bob_exec;
   choose * from order_transaction;

   

6. Take a look at that the employees can’t see any knowledge concerning the order. All columns ought to masked for them.

   set session authorization Jane_staff;
   choose * from order_transaction;

   

Object_Transform operate

On this part, we dive into the capabilities and advantages of the OBJECT_TRANSFORM operate and discover the way it empowers you to effectively reshape your knowledge for evaluation. The OBJECT_TRANSFORM operate in Amazon Redshift is designed to facilitate knowledge transformations by permitting you to govern JSON knowledge instantly throughout the database. With this operate, you’ll be able to apply transformations to semi-structured or SUPER knowledge sorts, making it easier to work with complicated knowledge buildings in a relational database atmosphere.

Let’s have a look at some utilization examples.

First, create a desk and populate contents:

--1- Create the client desk 

DROP TABLE if exists customer_json;

CREATE TABLE customer_json (
    col_super tremendous,
    col_text character various(100) ENCODE lzo
) DISTSTYLE AUTO;

--2- Populate the desk with pattern knowledge 

INSERT INTO customer_json
VALUES
    (
        
        json_parse('
            
                "particular person": 
                    "title": "GREGORY HOUSE",
                    "wage": 120000,
                    "age": 17,
                    "state": "MA",
                    "ssn": ""
                
            
        ')
        ,'GREGORY HOUSE'
    ),
    (
        json_parse('
              
                "particular person": 
                    "title": "LISA CUDDY",
                    "wage": 180000,
                    "age": 30,
                    "state": "CA",
                    "ssn": ""
                
            
        ')
        ,'LISA CUDDY'
    ),
     (
        json_parse('
              
                "particular person": 
                    "title": "JAMES WILSON",
                    "wage": 150000,
                    "age": 35,
                    "state": "WA",
                    "ssn": ""
                
            
        ')
        ,'JAMES WILSON'
    )
;
-- 3 choose the info 

SELECT * FROM customer_json;

Apply the transformations with the OBJECT_TRANSFORM operate:

SELECT
    OBJECT_TRANSFORM(
        col_super
        KEEP
            '"particular person"."title"',
            '"particular person"."age"',
            '"particular person"."state"'
           
        SET
            '"particular person"."title"', LOWER(col_super.particular person.title::TEXT),
            '"particular person"."wage"',col_super.particular person.wage + col_super.particular person.wage*0.1
    ) AS col_super_transformed
FROM customer_json;

As you’ll be able to see within the instance, by making use of the transformation with OBJECT_TRANSFORM, the particular person title is formatted in lowercase and the wage is elevated by 10%. This demonstrates how the transformation makes is easier to work with semi-structured or nested knowledge sorts.

Clear up

While you’re performed with the answer, clear up your sources:

1. Detach the masking insurance policies from the desk:

   -- Cleanup
   --reset session authorization to the default
   RESET SESSION AUTHORIZATION;

2. Drop the masking insurance policies:

   DROP MASKING POLICY mask_pii_data CASCADE;

3. Revoke or drop the roles and customers:

   REVOKE ROLE cust_srvc_role from Kate_cust;
   REVOKE ROLE sales_srvc_role from Ken_sales;
   REVOKE ROLE executives_role from Bob_exec;
   REVOKE ROLE staff_role from Jane_staff;
   DROP ROLE cust_srvc_role;
   DROP ROLE sales_srvc_role;
   DROP ROLE executives_role;
   DROP ROLE staff_role;
   DROP USER Kate_cust;
   DROP USER Ken_sales;
   DROP USER Bob_exec;
   DROP USER Jane_staff;

4. Drop the desk:

   DROP TABLE order_transaction CASCADE;
   DROP TABLE if exists customer_json;

Issues and greatest practices

Take into account the next when implementing this answer:

• When attaching a masking coverage to a path on a column, that column have to be outlined because the SUPER knowledge sort. You’ll be able to solely apply masking insurance policies to scalar values on the SUPER path. You’ll be able to’t apply masking insurance policies to complicated buildings or arrays.
• You’ll be able to apply completely different masking insurance policies to a number of scalar values on a single SUPER column so long as the SUPER paths don’t battle. For instance, the SUPER paths a.b and a.b.c battle as a result of they’re on the identical path, with a.b being the father or mother of a.b.c. The SUPER paths a.b.c and a.b.d don’t battle.

Confer with Utilizing dynamic knowledge masking with SUPER knowledge sort paths for extra particulars on concerns.

Conclusion

On this put up, we mentioned how one can use DDM assist for the SUPER knowledge sort in Amazon Redshift to outline configuration-driven, constant, format-preserving, and irreversible masked knowledge values. With DDM assist in Amazon Redshift, you’ll be able to management your knowledge masking strategy utilizing acquainted SQL language. You’ll be able to make the most of the Amazon Redshift role-based entry management functionality to implement completely different ranges of information masking. You’ll be able to create a masking coverage to establish which column must be masked, and you’ve got the flexibleness of selecting how one can present the masked knowledge. For instance, you’ll be able to fully cover all the data of the info, exchange partial actual values with wildcard characters, or outline your personal option to masks the info utilizing SQL expressions, Python, or Lambda UDFs. Moreover, you’ll be able to apply conditional masking primarily based on different columns, which selectively protects the column knowledge in a desk primarily based on the values in a number of columns.

We encourage you to create your personal user-defined features for varied use circumstances and obtain your required safety posture utilizing dynamic knowledge masking assist in Amazon Redshift.

In regards to the Authors

Ritesh Kumar Sinha is an Analytics Specialist Options Architect primarily based out of San Francisco. He has helped prospects construct scalable knowledge warehousing and massive knowledge options for over 16 years. He likes to design and construct environment friendly end-to-end options on AWS. In his spare time, he loves studying, strolling, and doing yoga.

Tahir Aziz is an Analytics Answer Architect at AWS. He has labored with constructing knowledge warehouses and massive knowledge options for over 15+ years. He loves to assist prospects design end-to-end analytics options on AWS. Exterior of labor, he enjoys touring and cooking.

Omama Khurshid is an Acceleration Lab Options Architect at Amazon Net Providers. She focuses on serving to prospects throughout varied industries construct dependable, scalable, and environment friendly options. Exterior of labor, she enjoys spending time along with her household, watching films, listening to music, and studying new applied sciences.