Skip to content

feat: generalized ABAC Terraform module for Genie Space onboarding #641

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
louiscsq wants to merge 35 commits into
base: main
Choose a base branch
from
Open

feat: generalized ABAC Terraform module for Genie Space onboarding #641

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
3c73c40
feat(genie): add terraform module for quickstart of genie onboarding
louiscsq Feb 5, 2026
28e6768
finance domain example added for uc quickstart abac
kavyaparashardatabricks Jan 30, 2026
dc0aeb4
Fraud Analyst demo
louiscsq Feb 5, 2026
9a8da8b
Update the demo record date to a more recent one
louiscsq Feb 9, 2026
fe44e01
minimized demo for minimal data groups
kavyaparashardatabricks Feb 9, 2026
6d505ef
genie creation automated
kavyaparashardatabricks Feb 10, 2026
d44c422
feat(genie): add Genie Space ACL automation via Terraform
louiscsq Feb 11, 2026
8421f2b
Genie ACL: remove warehouse grants, demo users as lists, group member…
louiscsq Feb 11, 2026
1dc6585
Genie/aws: add entity tag assignments and FGAC policies (Terraform)
louiscsq Feb 20, 2026
7107185
fix: use additive grants and add dependency ordering for FGAC policies
louiscsq Feb 20, 2026
7df9e88
feat: generalize ABAC Terraform module for custom tables and masking …
louiscsq Feb 20, 2026
6df6d7e
feat: add validate_abac.py to check AI-generated configs before terra…
louiscsq Feb 20, 2026
db1348d
docs: add healthcare walkthrough with user-provided catalog name
louiscsq Feb 23, 2026
bd39e3f
refactor: organize examples into finance/ and healthcare/ subdirectories
louiscsq Feb 23, 2026
eb6e6bd
docs: rename tfvars to tfvars.example and update README references
louiscsq Feb 23, 2026
fb54a36
feat: add AI-assisted ABAC generation, auth separation, and condition…
louiscsq Feb 23, 2026
39056ab
feat: streamline Genie onboarding automation
louiscsq Feb 24, 2026
d331ee5
fix: default to -parallelism=1 and improve validate-then-copy workflow
louiscsq Feb 24, 2026
b0cde5b
docs: rename project to OneReady
louiscsq Feb 24, 2026
375329e
fix: make when_condition optional for FGAC policies and improve ABAC …
louiscsq Feb 25, 2026
bd88b3a
feat: multi-catalog ABAC with auto-deploy, simplified workflow, and d…
louiscsq Feb 26, 2026
2311fdb
feat: unified Genie Space lifecycle, tag policy ordering fix, and ren…
louiscsq Feb 26, 2026
284bfd8
docs: restore flowchart, value proposition, and align box boundaries …
louiscsq Feb 26, 2026
422cb22
feat: Genie Space AI config, three-file split, and README cleanup
louiscsq Feb 27, 2026
cfbae68
feat: add sql_snippets, join_specs, and benchmark accuracy improvements
louiscsq Feb 27, 2026
0d0c780
fix: prevent multiple column masks per column in ABAC prompt and tag …
louiscsq Feb 27, 2026
a746e7a
feat: add Databricks telemetry via User-Agent across all API layers
louiscsq Mar 2, 2026
dee4790
refactor: use databricks.sdk.useragent for telemetry instead of Config
louiscsq Mar 2, 2026
b06fcbc
fix: resolve tag policy reordering bug and improve ABAC generation re…
louiscsq Mar 2, 2026
5158c03
docs: move prerequisites to top-level section and add SP role details
louiscsq Mar 2, 2026
1201445
rename: rebrand project from OneReady to GenieRails
louiscsq Mar 5, 2026
344028e
docs: fix markdown table and ASCII art formatting in README
louiscsq Mar 5, 2026
7eb5016
fix: pass product info to WorkspaceClient so control plane records te…
louiscsq Mar 5, 2026
4cfc890
merge: integrate telemetry fix from feature/add-telemetry-service
louiscsq Mar 5, 2026
167fda5
fix: remove redundant ua.with_extra/with_product calls that caused du…
louiscsq Mar 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
260 changes: 260 additions & 0 deletions uc-quickstart/utils/abac/finance/0.1finance_abac_functions.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,260 @@
-- =============================================
-- DATABRICKS UNITY CATALOG ABAC MASKING FUNCTIONS - FINANCE DOMAIN
-- Purpose: Attribute-Based Access Control (ABAC) utility functions for financial services data masking
-- Compliance: PCI-DSS, AML/KYC, GDPR, SOX, GLBA
-- Reference: https://docs.databricks.com/aws/en/data-governance/unity-catalog/abac/
-- =============================================

-- Set catalog and schema context
USE CATALOG fincat;
USE SCHEMA finance;

-- =============================================
-- MASKING FUNCTIONS (11 total)
-- These transform/hide data values while preserving table structure
-- =============================================

-- =============================================
-- 1. CREDIT CARD FULL MASKING FUNCTION
-- Purpose: Complete masking of credit card numbers for PCI-DSS compliance
-- Usage: Customer service representatives with basic clearance
-- Input: Credit card number (e.g., 4532-1234-5678-9010)
-- Output: Fully masked (XXXX-XXXX-XXXX-XXXX)
-- =============================================
CREATE OR REPLACE FUNCTION mask_credit_card_full(card_number STRING)
RETURNS STRING
COMMENT 'ABAC utility: Full credit card masking for PCI-DSS compliance'
RETURN CASE
WHEN card_number IS NULL OR card_number = '' THEN card_number
ELSE 'XXXX-XXXX-XXXX-XXXX'
END;

-- =============================================
-- 2. CREDIT CARD LAST 4 DIGITS FUNCTION
-- Purpose: Show only last 4 digits for customer service verification
-- Usage: Customer service and fraud detection teams
-- Input: Credit card number (e.g., 4532-1234-5678-9010)
-- Output: Masked with last 4 visible (XXXX-XXXX-XXXX-9010)
-- =============================================
CREATE OR REPLACE FUNCTION mask_credit_card_last4(card_number STRING)
RETURNS STRING
COMMENT 'ABAC utility: Show last 4 digits of credit card for verification'
RETURN CASE
WHEN card_number IS NULL OR card_number = '' THEN card_number
WHEN LENGTH(REGEXP_REPLACE(card_number, '[^0-9]', '')) >= 4 THEN
CONCAT('XXXX-XXXX-XXXX-', RIGHT(REGEXP_REPLACE(card_number, '[^0-9]', ''), 4))
ELSE 'XXXX-XXXX-XXXX-XXXX'
END;

-- =============================================
-- 3. SSN MASKING FUNCTION
-- Purpose: Mask Social Security Numbers while showing last 4 for verification
-- Usage: Customer service and compliance teams
-- Input: SSN (e.g., 123-45-6789)
-- Output: Masked SSN (XXX-XX-6789)
-- =============================================
CREATE OR REPLACE FUNCTION mask_ssn(ssn STRING)
RETURNS STRING
COMMENT 'ABAC utility: Mask SSN showing only last 4 digits for GLBA compliance'
RETURN CASE
WHEN ssn IS NULL OR ssn = '' THEN ssn
WHEN LENGTH(REGEXP_REPLACE(ssn, '[^0-9]', '')) = 9 THEN
CONCAT('XXX-XX-', RIGHT(REGEXP_REPLACE(ssn, '[^0-9]', ''), 4))
ELSE 'XXX-XX-XXXX'
END;

-- =============================================
-- 4. ACCOUNT NUMBER TOKENIZATION FUNCTION
-- Purpose: Deterministic masking of account numbers for analytics
-- Usage: Data analysts and reporting teams
-- Input: Account number (e.g., ACC123456)
-- Output: Deterministic token (e.g., ACCT_a3f9c2...)
-- =============================================
CREATE OR REPLACE FUNCTION mask_account_number(account_id STRING)
RETURNS STRING
COMMENT 'ABAC utility: Deterministic account number tokenization for cross-table analytics'
RETURN CASE
WHEN account_id IS NULL OR account_id = '' THEN account_id
ELSE CONCAT('ACCT_', LEFT(SHA2(account_id, 256), 12))
END;

-- =============================================
-- 5. EMAIL MASKING FOR FINANCE FUNCTION
-- Purpose: Mask customer email addresses for privacy
-- Usage: Marketing and customer service teams
-- Input: Email (e.g., john.doe@example.com)
-- Output: Masked email (****@example.com)
-- =============================================
CREATE OR REPLACE FUNCTION mask_email_finance(email STRING)
RETURNS STRING
COMMENT 'ABAC utility: Mask email local part while preserving domain for GDPR compliance'
RETURN CASE
WHEN email IS NULL OR email = '' THEN email
WHEN LOCATE('@', email) > 0 THEN
CONCAT('****', SUBSTRING(email, LOCATE('@', email)))
ELSE '****'
END;

-- =============================================
-- 6. CUSTOMER ID DETERMINISTIC MASKING FUNCTION
-- Purpose: Hash customer IDs for referential integrity in analytics
-- Usage: Data scientists and analysts performing cross-table joins
-- Input: Customer ID (e.g., CUST00123)
-- Output: Deterministic reference (e.g., REF_c8a9f...)
-- =============================================
CREATE OR REPLACE FUNCTION mask_customer_id_deterministic(customer_id STRING)
RETURNS STRING
COMMENT 'ABAC utility: Deterministic customer ID masking preserving join capability'
RETURN CASE
WHEN customer_id IS NULL OR customer_id = '' THEN customer_id
ELSE CONCAT('REF_', LEFT(SHA2(customer_id, 256), 10))
END;

-- =============================================
-- 7. TRANSACTION AMOUNT ROUNDING FUNCTION
-- Purpose: Round transaction amounts for aggregated reporting
-- Usage: Marketing teams and external partners
-- Input: Amount (e.g., 1234.56)
-- Output: Rounded amount (1200.00)
-- =============================================
CREATE OR REPLACE FUNCTION mask_amount_rounded(amount DECIMAL(18,2))
RETURNS DECIMAL(18,2)
COMMENT 'ABAC utility: Round amounts to nearest hundred for aggregated analytics'
RETURN CASE
WHEN amount IS NULL THEN NULL
WHEN amount < 100 THEN ROUND(amount, -1) -- Round to nearest 10
ELSE ROUND(amount, -2) -- Round to nearest 100
END;

-- =============================================
-- 8. PII STRING PARTIAL MASKING FUNCTION
-- Purpose: Show only first and last characters of PII fields
-- Usage: Customer names and addresses for partial visibility
-- Input: String value (e.g., "John")
-- Output: Partially masked string (e.g., "J**n")
-- =============================================
CREATE OR REPLACE FUNCTION mask_pii_partial(input STRING)
RETURNS STRING
COMMENT 'ABAC utility: Partial PII masking showing first and last characters for GDPR'
RETURN CASE
WHEN input IS NULL OR input = '' THEN input
WHEN LENGTH(input) <= 2 THEN REPEAT('*', LENGTH(input))
WHEN LENGTH(input) = 3 THEN CONCAT(LEFT(input, 1), '*', RIGHT(input, 1))
ELSE CONCAT(LEFT(input, 1), REPEAT('*', LENGTH(input) - 2), RIGHT(input, 1))
END;

-- =============================================
-- ROW FILTER FUNCTIONS (Zero-argument for Unity Catalog ABAC)
-- These control which rows are visible to users based on group membership
-- Note: UC ROW FILTER policies require 0-argument functions
-- =============================================

-- =============================================
-- 9. TRADING HOURS TIME-BASED FILTER
-- Purpose: Restrict access to trading positions during market hours
-- Usage: Prevent risk managers from accessing live positions during trading
-- Input: None (uses current time)
-- Output: Boolean indicating if access is allowed (outside trading hours 9:30 AM - 4:00 PM ET)
-- =============================================
CREATE OR REPLACE FUNCTION filter_trading_hours()
RETURNS BOOLEAN
COMMENT 'ABAC utility: Time-based access control for trading positions outside market hours'
RETURN
-- Allow access outside NYSE trading hours (9:30 AM - 4:00 PM ET)
-- Convert to UTC: 9:30 AM ET = 14:30 UTC, 4:00 PM ET = 21:00 UTC (EST)
-- Note: Adjust for daylight saving time in production
CASE
WHEN hour(current_timestamp()) < 14 OR hour(current_timestamp()) >= 21 THEN TRUE
ELSE FALSE
END;

-- =============================================
-- 10. INFORMATION BARRIER FILTER (Chinese Wall)
-- Purpose: Block research analysts from trading data
-- Usage: Enforce SEC/MiFID II Chinese wall for research analysts
-- Input: None (checks current user group membership)
-- Output: Boolean - FALSE blocks access for Research_Analyst group
-- =============================================
CREATE OR REPLACE FUNCTION filter_information_barrier()
RETURNS BOOLEAN
COMMENT 'ABAC utility: Chinese wall - block research analysts from trading positions'
RETURN
-- Research analysts are blocked (return FALSE to deny access)
-- This function is applied only to tables tagged with information_barrier
-- Risk managers and compliance have Neutral access (not blocked)
TRUE; -- Default allow - policy applies this selectively via WHEN clause

-- =============================================
-- 11. AML CLEARANCE FILTER
-- Purpose: Hide flagged/high-risk transactions from junior analysts
-- Usage: Junior AML analysts cannot see flagged transactions
-- Input: None (checks current user group membership)
-- Output: Boolean - controls visibility of sensitive AML data
-- =============================================
CREATE OR REPLACE FUNCTION filter_aml_clearance()
RETURNS BOOLEAN
COMMENT 'ABAC utility: Hide flagged transactions from junior AML analysts'
RETURN
-- Junior analysts blocked from flagged transactions
-- Senior investigators and compliance see all
TRUE; -- Default allow - policy WHEN clause controls application

-- =============================================
-- 12. REGIONAL DATA RESIDENCY FILTER - EU
-- Purpose: Show only EU customer data to EU staff
-- Usage: GDPR compliance - EU staff see EU data only
-- Input: None (checks current user group membership)
-- Output: Boolean indicating if row should be visible
-- =============================================
CREATE OR REPLACE FUNCTION filter_by_region_eu()
RETURNS BOOLEAN
COMMENT 'ABAC utility: GDPR - EU regional staff see EU customer data only'
RETURN TRUE; -- Applied via WHEN clause to customer_region='EU' tables

-- =============================================
-- 13. REGIONAL DATA RESIDENCY FILTER - US
-- Purpose: Show only US customer data to US staff
-- Usage: CCPA/GLBA compliance - US staff see US data only
-- Input: None (checks current user group membership)
-- Output: Boolean indicating if row should be visible
-- =============================================
CREATE OR REPLACE FUNCTION filter_by_region_us()
RETURNS BOOLEAN
COMMENT 'ABAC utility: CCPA/GLBA - US regional staff see US customer data only'
RETURN TRUE; -- Applied via WHEN clause to customer_region='US' tables

-- =============================================
-- 14. REGIONAL DATA RESIDENCY FILTER - APAC
-- Purpose: Show only APAC customer data to APAC staff
-- Usage: PDPA compliance - APAC staff see APAC data only
-- Input: None (checks current user group membership)
-- Output: Boolean indicating if row should be visible
-- =============================================
CREATE OR REPLACE FUNCTION filter_by_region_apac()
RETURNS BOOLEAN
COMMENT 'ABAC utility: PDPA - APAC regional staff see APAC customer data only'
RETURN TRUE; -- Applied via WHEN clause to customer_region='APAC' tables

-- =============================================
-- 15. TEMPORARY AUDITOR ACCESS FILTER
-- Purpose: Grant access to external auditors (always allow within policy scope)
-- Usage: SOX compliance - external auditors with temporary access
-- Input: None (group membership determines access)
-- Output: Boolean indicating if access is allowed
-- =============================================
CREATE OR REPLACE FUNCTION filter_audit_expiry()
RETURNS BOOLEAN
COMMENT 'ABAC utility: Temporary access control for external auditors (SOX compliance)'
RETURN TRUE; -- Applied via WHEN clause with audit_project tag

-- =============================================
-- VERIFICATION AND TESTING
-- =============================================

-- List all created functions
SHOW FUNCTIONS IN finance LIKE 'mask*';
SHOW FUNCTIONS IN finance LIKE 'filter*';

SELECT '✅ Successfully created 15 finance ABAC functions (8 masking, 7 row filters)' as status;
SELECT '📋 Row filter functions are zero-argument for Unity Catalog ABAC policies' as note;
SELECT '🔐 Functions ready for: PCI-DSS, AML/KYC, GDPR, SOX, GLBA compliance' as compliance_frameworks;
Loading