Can I hook into the IRIS SQL compiler to inject dynamic policies (e.g., tenant filtering, row masking)?

Question

Question

Jack Rack · Oct 11

We require automatic injection of security predicates at runtime, depending on the user or API token. Is there a supported or hackable mechanism to manipulate SQL parsing/compilation before execution?

Discussion (2)2

Log in or sign up to continue

score 1 · Answer 1 · 2025-10-29T08:00:03-04:00

No.

You can filter results based on the row level security policy
Row-Level Security
https://docs.intersystems.com/iris20252/csp/docbook/Doc.View.cls?KEY=GOB...

You can also grant access to specific columns in tables to particular roles, and then grant these roles to a particular user
https://docs.intersystems.com/iris20252/csp/docbook/Doc.View.cls?KEY=RSQ...

score 1 · Answer 2 · 2025-10-29T11:51:32-04:00

I think @Alexander Koblov actually meant "Yes" :-), as row-level security was indeed designed for exactly this purpose, to inject additional filters into queries based on their credentials.