Skip to main content
User-defined functions (UDFs) extend Planasonix with custom logic—SQL UDFs in the warehouse, script nodes, or engine plugins depending on your deployment. Because UDFs execute arbitrary code or elevated SQL in governed environments, UDF reviews gate what reaches production.

Enterprise feature

The UDF reviews workflow is an Enterprise control. It adds submission, diff review, approval, and audit trails on top of standard pipeline permissions. Without it, UDF changes may follow your normal Git or canvas promotion process only. If you do not see the tab, your organization has not purchased the add-on or an admin disabled the module.

Review workflow

1

Author submits

A developer or analytics engineer packages the UDF with description, inputs/outputs, data classification, and test evidence (sample invocations or unit results).
2

Automated checks

Static scanners flag network calls, filesystem access, and dynamic SQL patterns where policies forbid them. Fix or justify before human review.
3

Peer or security review

Reviewers compare versions, read risk notes, and confirm alignment with data contracts and PII handling.
4

Approval and promotion

Approvers bind the UDF to environments (for example dev → staging → prod). Production deployment is blocked until required signatures are recorded.
Full review: purpose, dependency list, and performance expectations for large partitions.

Approval process

Typical roles:
  • Author – submits and responds to comments
  • Technical reviewer – validates correctness, tests, and resource usage
  • Security or governance – approves when custom code touches sensitive domains
  • Release manager – promotes after change windows and comms
The UI shows status (draft, in review, approved, rejected, revoked) and immutable history for auditors.
Tie approvals to tickets in your ITSM tool via webhook or manual ID fields so compliance can trace every production UDF to a change record.

Security considerations for custom code

UDFs that can open outbound sockets or write to arbitrary stages could leak rows. Block or sandbox capabilities your policy does not allow; prefer pure functions that operate on in-memory arguments.
A UDF running as a high-privilege warehouse role can read tables the author should not see. Use least-privilege roles dedicated to pipeline execution and row access policies where available.
Pin dependencies and scan third-party libraries the same way you scan application services. Re-review when dependencies update.
Unbounded loops, cartesian explosions, or huge aggregates inside a UDF can starve warehouses. Require LIMIT in exploratory queries and cost guards in production.
Revoking a UDF does not automatically rewrite historical runs. Plan how you reprocess or quarantine outputs that depended on a withdrawn function.

Advanced nodes

Where UDFs and extensions surface in the graph.

Data contracts

Encode expectations UDFs must honor.