+1 This is really exciting Prashant and thank you for driving the initial definition.
Since this is built on existing body of work, I hope that the community can come to an agreement quickly. Best, Roy Hasson Microsoft ________________________________ From: Prashant Singh <prashant010...@gmail.com> Sent: Wednesday, June 25, 2025 2:06 PM To: dev@iceberg.apache.org <dev@iceberg.apache.org>; d...@polaris.apache.org <d...@polaris.apache.org> Cc: laur...@dremio.com <laur...@dremio.com>; jb.ono...@dremio.com <jb.ono...@dremio.com>; Roy Hasson <royhas...@microsoft.com>; Kevin Liu <kevinl...@microsoft.com> Subject: [EXTERNAL] Proposal: Secure Views for FGAC Dynamic Enforcement (based on prior Access Decision Exchange work) Hi everyone, We’d like to share a proposal to extend Iceberg's view capabilities to support Secure Views for Dynamic Policy Enforcement. This builds upon earlier discussion and proposal around Iceberg Spec Extensions for Data Access Decision Exchange<https://docs.google.com/document/d/14nmuxxfzQsYo59o0Fbpb-pxOlzS6bVtduL8P8pwKZ6U/edit?tab=t.0#heading=h.irh2zymohx17>, with the goal of enabling fine-grained access control (FGAC) through view redirection, rather than requiring engines to directly integrate with policy stores or evaluators. The core idea is simple: instead of returning a table in response to loadTable, the catalog can return a secure view—dynamically constructed based on the caller's access policies and context. This allows engines like Trino or Spark to enforce row/column-level governance without policy evaluation logic baked into the engine itself. Several organizations already use similar techniques in production, such as LinkedIn (ViewShift<https://trino.io/assets/blog/trino-summit-2024/trino-summit-2024-linkedin-policy.pdf>), Amazon. We’ve documented the E2E design details here [OSS] Secure Views for dynamic policy enforcement<https://docs.google.com/document/d/13roTQxVkaLSZq9iKL7v9ur9wR47K8QWQzjiArrP7vx4/edit?tab=t.0#heading=h.857wopjfxe7n>. This outlines how the approach works without any IRC spec changes and with close to zero engine changes, Importantly, this now means cross engine FGAC by a centrally managed IRC catalog, can work seamlessly even with an engine version released years ago as long as they support IRC. We have also outlined a phased support plan, including how this approach can evolve alongside upcoming Iceberg features like UDFs. Thanks to Kevin Liu and Roy Hasson from Microsoft, and Laurent and JB from Dremio, for being co-conspirators in shaping this proposal and for their invaluable feedback and support in making it a reality. Please let us know your thoughts, questions, or concerns. Looking forward to the discussion! cc Iceberg community, as this approach leverages iceberg views and expects further enhancements via Iceberg Expressions expansion and Iceberg UDF's. Best, Prashant Singh & Russell Spitzer
