EXT_AUTHORIZER_EXPLAIN stored procedure in Data Virtualization

Last updated: Mar 17, 2025

Get details about the IBM Knowledge Catalog data protection rules applicable to a Data Virtualization object for a user by using the EXT_AUTHORIZER_EXPLAIN stored procedure in Data Virtualization. The schema is DVSYS.

With more information on the data protection rules applicable to a Data Virtualization object for a user, you can help to ensure that sensitive information is protected.

Note: This procedure evaluates against IBM Knowledge Catalog data protection rules only. Also, this procedure does not support views and only works on virtual tables (Db2 nicknames), native Db2 tables, and MQTs. To learn how Data Virtualization authorizes views, see Authorization model for views.

Authorization

To run the EXT_AUTHORIZER_EXPLAIN procedure, you must be a Data Virtualization Manager. For more information, see Managing roles for users in Data Virtualization.

Input parameters

SCHEMA_NAME: The type of this required parameter is VARCHAR(128). Specifies the schema of the evaluated object.
OBJECT_NAME: The type of this required parameter is VARCHAR(128). Specifies the name of the evaluated object.
USERNAME: The type of this required parameter is VARCHAR(128). Specifies the Data Virtualization user ID of the user to evaluate the object against.

Output parameters

AUTHORIZER_EXPLAIN: The type of this parameter is VARCHAR(32672). The explanation of the evaluation result in JSON format.

Output property names

Refer to the following table for an explanation of each property name that you might encounter in the output.

Property name	Definition
asset_id	The ID of the catalog asset within the container whose metadata was used for evaluation against data protection rules.
container	The ID and name of the governed catalog, whose asset was used for the evaluation of the object.
evaluation_outcome	The overall outcome that is applied to the object, and can include any of the following: Allow: The outcome of the evaluation is to allow access to the object without any restrictions. Deny: The outcome of the evaluation is to deny access to the object. Transform: A column masking or row filtering rule applies to the object.
is_cached	This parameter determines if the outcome is fetched from a local copy. True: The Data Virtualization in-memory cache determines the outcome of this evaluation. The outcome might not be fully up-to-date with the data protection rules or asset metadata in the catalog. For more information on the outcome, see cache of the applicable IBM Knowledge Catalog data protection rules in Data Virtualization. False: The outcome of this evaluation is evaluated against and returned by the IBM Knowledge Catalog policy service. This outcome is up to date.
parameters	Definition of the applicable transformation operation (column mask or row filter).
rules	The name and IDs of the applicable data protection rules to the requested evaluation context.
transform_spec	List of applicable column masks, row filters, or both, as a result of the applicable rules. The operation_type can include any of the following statues: research/pseudo-pretty: Redact research/formatted-pretty: Formatted (for example, partial) redact research/digest_col: Substitute research/pseudo: Obfuscate research/include_rows: Row filter that includes rows research/include_rows_ref: Row filter that includes rows based on a reference table research/exclude_rows: Row filter that excludes rows research/exclude_rows_ref: Row filter that excludes rows based on a reference table
user_id	Platform or IAM user ID of the user that is being evaluated.

Syntax

Use the following syntax and replace the parameters below for this stored procedure:

CALL DVSYS.EXT_AUTHORIZER_EXPLAIN('<SCHEMA_NAME>', '<OBJECT_NAME>', '<USERNAME>', ?);

Examples

The following two examples demonstrate what happens when you use this stored procedure on Data Virtualization objects that have row filtering and column masking (obfuscation) rules applied.

Row filtering rule applies to an object

To evaluate the virtual table MY_TABLE in schema MY_SCHEMA for user USER1, run the following SQL statement:

CALL DVSYS.EXT_AUTHORIZER_EXPLAIN('MY_SCHEMA', 'MY_TABLE', 'USER1', ?);

For an object with a row filtering rule applicable, the output might look like the following example:

 Value of output parameters
  --------------------------
  Parameter name  : AUTHORIZER_EXPLAIN
  Parameter value : {"IKC":{"resource_key":"1ed88d5b-148e-49c5-85a3-000000000000:/MY_SCHEMA/MY_TABLE","evaluation_outcome":"Transform","governance_convention":"AEAD",asset_id":"9cb85f03-100a-4bd5-8275-000000000000","container":{"id":"753b9703-4f82-4552-9906-000000000000","name":"Default"},"is_cached":false,"user_id":"0000000000","rules":[{"id":"297d03ad-be3f-43c3-b534-000000000000","name":"Table RoLE normal"},{"id":"b140d918-9ca8-4356-86c2-000000000000","name":"Table RoLE fail"}],"transform_spec":[{"operation_type":"research/include_rows_ref","parameters":[{"predicate":[["$$source.MY_TABLE_ID","=","$$references[0].MY_TABLE_ID"]],"references":[{"catalog_id":"753b9703-4f82-4552-9906-000000000000","asset_id":"b1d5fdd1-5ae4-45c5-b1b3-000000000000","resource_key":"1ed88d5b-148e-49c5-85a3-000000000000:/MY_SCHEMA/MY_TABLE"}]}]}]}}s_ref","parameters":[{"predicate":[["$$source.MY_TABLE_ID","=","$$references[0].TABLE_ID"]],"references":[{"catalog_id":"753b9703-4f82-4552-9906-000000000000","asset_id":"b1d5fdd1-5ae4-45c5-b1b3-000000000000","resource_key":"1ed88d5b-148e-49c5-85a3-000000000000:/MY_SCHEMA/MY_TABLE"}]}]}]}}

Column masking rule applies to an object

To evaluate the virtual table MY_TABLE_MASK in schema MY_SCHEMA for user USER1, run the following SQL command:

CALL DVSYS.EXT_AUTHORIZER_EXPLAIN('MY_SCHEMA', 'MY_TABLE_MASK', 'USER1', ?);

For an object that has two column masking rules that are applied, the output might look like the following example:

Value of output parameters
  --------------------------
  Parameter name  : AUTHORIZER_EXPLAIN
  Parameter value : {"IKC":{"resource_key":"1ed88d5b-148e-49c5-85a3-000000000000:/MY_SCHEMA/MY_TABLE_MASK","evaluation_outcome":"Transform","governance_convention":"AEAD","asset_id":"f11f6916-dc49-4838-869a-000000000000","container":{"id":"753b9703-4f82-4552-9906-000000000000","name":"Default"},"is_cached":false,"user_id":"000000000000","rules":[{"id":"e4de009b-ea72-4bc2-b70c-000000000000","name":"Name mask"},{"id":"275e2e1b-4d13-4d91-939d-000000000000","name":"Redact first name"}],"transform_spec":[{"operation_type":"research/pseudo","parameters":[{"salt":"034f0be01d66800028a7fb5069e1b5f59b3c876ba3c2d00436db09b3e0e50072","dataclass":"LastName","maskingType":"Full","name":"LAST_NAME","preserveFormat":"true","maskingProcessor":"FormatPreservingTokenization"}],"profiled_dataclass":"LastName"},{"operation_type":"research/pseudo-pretty","parameters":[{"maskingChar":"X","maskingType":"Full","name":"FIRST_NAME","preserveFormat":"false","maskingLen":"10"}],"profiled_dataclass":"FirstName"}]}}

In this example, the transform_spec indicates that the outcome of the evaluation resulted in masking two columns:

LAST_NAME column is masked with format-preserving obfuscation.
FIRST_NAME column is masked with full redaction, or ten X characters.

"transform_spec": [{
			"operation_type": "research/pseudo",
			"parameters": [{
				"salt": "000f0be01d6680b62007fb5069e1b0009b3c876ba000d65006db09b3e0e50072",
				"dataclass": "LastName",
				"maskingType": "Full",
				"name": "LAST_NAME",
				"preserveFormat": "true",
				"maskingProcessor": "FormatPreservingTokenization"
			}],
			"profiled_dataclass": "LastName"
		}, {
			"operation_type": "research/pseudo-pretty",
			"parameters": [{
				"maskingChar": "X",
				"maskingType": "Full",
				"name": "FIRST_NAME",
				"preserveFormat": "false",
				"maskingLen": "10"
			}],
			"profiled_dataclass": "FirstName"
		}]