This post explains how to apply fine-grained dynamic data masking using the Axiomatics Data Access Filter MD (for Multiple Databases), while minimizing changes to applications that consume the data.
In the land of XACML, general access control queries are of the form “can user A read document D?” The Policy Enforcement Point (PEP) sends these request to Policy Decision Point (PDP) and enforces the response decision Permit/Deny. But in most of enterprises, the access control queries are not confined to just these types of direct queries. There is often the need for queries like “Which conditions should be fulfilled by a user to get Permit for accessing document D”, “ What are the conditions which denies access to a document for user A”, “Which elements in the current set of policies can deny read access to any user” etc.
It is a general perception that ABAC is not capable of answering this kind of reverse queries in an elegant manner as RBAC. For more information on challenges that ABAC faces, refer the blog posts Challanges of ABAC-Part 1 and Part 2. Axiomatics Reverse Query (ARQ) is the solution to such access control queries.