ethyca-fides 2.66.1b1__py2.py3-none-any.whl → 2.66.2__py2.py3-none-any.whl

fides/_version.py

@@ -8,11 +8,11 @@ import json
 
 version_json = '''
 {
- "date": "2025-07-23T12:23:11-0600",
+ "date": "2025-07-29T14:18:39-0400",
  "dirty": false,
  "error": null,
- "full-revisionid": "c91a4a39d154eb33dc8333448c5500da2979eda5",
- "version": "2.66.1b1"
+ "full-revisionid": "15db4e93dd6f5c214b575e480682ef72be3172ef",
+ "version": "2.66.2"
 }
 '''  # END VERSION_JSON
 

fides/api/api/v1/endpoints/dataset_config_endpoints.py

@@ -1,7 +1,7 @@
 from typing import Annotated, Any, Dict, List, Optional
 
 import yaml
-from fastapi import Depends, HTTPException, Query, Request
+from fastapi import Depends, HTTPException, Request
 from fastapi.encoders import jsonable_encoder
 from fastapi.params import Security
 from fastapi_pagination import Page, Params
@@ -68,18 +68,10 @@ from fides.api.models.sql_models import (  # type: ignore[attr-defined] # isort:
 )
 
 X_YAML = "application/x-yaml"
-MAX_DATASET_CONFIGS_FOR_INTEGRATION_FORM = 1000
 
 router = APIRouter(tags=["Dataset Configs"], prefix=V1_URL_PREFIX)
 
 
-# Custom Params class with higher limit for dataset configs
-class DatasetConfigParams(Params):
-    size: int = Query(
-        50, ge=1, le=MAX_DATASET_CONFIGS_FOR_INTEGRATION_FORM, description="Page size"
-    )
-
-
 # Helper method to inject the parent ConnectionConfig into these child routes
 def _get_connection_config(
     connection_key: FidesKey, db: Session = Depends(deps.get_db)
@@ -139,7 +131,7 @@ def validate_dataset(
     response_model=BulkPutDataset,
 )
 def put_dataset_configs(
-    dataset_pairs: Annotated[List[DatasetConfigCtlDataset], Field(max_length=MAX_DATASET_CONFIGS_FOR_INTEGRATION_FORM)],  # type: ignore
+    dataset_pairs: Annotated[List[DatasetConfigCtlDataset], Field(max_length=50)],  # type: ignore
     db: Session = Depends(deps.get_db),
     dataset_config_service: DatasetConfigService = Depends(get_dataset_config_service),
     connection_config: ConnectionConfig = Depends(_get_connection_config),
@@ -189,7 +181,7 @@ def put_dataset_configs(
     response_model=BulkPutDataset,
 )
 def patch_dataset_configs(
-    dataset_pairs: Annotated[List[DatasetConfigCtlDataset], Field(max_length=MAX_DATASET_CONFIGS_FOR_INTEGRATION_FORM)],  # type: ignore
+    dataset_pairs: Annotated[List[DatasetConfigCtlDataset], Field(max_length=50)],  # type: ignore
     dataset_config_service: DatasetConfigService = Depends(get_dataset_config_service),
     connection_config: ConnectionConfig = Depends(_get_connection_config),
 ) -> BulkPutDataset:
@@ -225,7 +217,7 @@ def patch_dataset_configs(
     response_model=BulkPutDataset,
 )
 def patch_datasets(
-    datasets: Annotated[List[FideslangDataset], Field(max_length=1000)],  # type: ignore
+    datasets: Annotated[List[FideslangDataset], Field(max_length=50)],  # type: ignore
     dataset_config_service: DatasetConfigService = Depends(get_dataset_config_service),
     connection_config: ConnectionConfig = Depends(_get_connection_config),
 ) -> BulkPutDataset:
@@ -375,7 +367,7 @@ def get_dataset(
 )
 def get_dataset_configs(
     db: Session = Depends(deps.get_db),
-    params: DatasetConfigParams = Depends(),
+    params: Params = Depends(),
     connection_config: ConnectionConfig = Depends(_get_connection_config),
 ) -> AbstractPage[DatasetConfig]:
     """Returns all Dataset Configs attached to current Connection Config."""

fides/api/api/v1/endpoints/user_endpoints.py

@@ -6,7 +6,6 @@ from typing import List, Optional
 
 import jose.exceptions
 from fastapi import Depends, HTTPException, Security
-from fastapi.security import SecurityScopes
 from fastapi_pagination import Page, Params
 from fastapi_pagination.bases import AbstractPage
 from fastapi_pagination.ext.sqlalchemy import paginate
@@ -40,9 +39,7 @@ from fides.api.oauth.roles import APPROVER, VIEWER
 from fides.api.oauth.utils import (
     create_temporary_user_for_login_flow,
     extract_payload,
-    extract_token_and_load_client,
     get_current_user,
-    has_permissions,
     oauth2_scheme,
     verify_oauth_client,
 )
@@ -68,7 +65,6 @@ from fides.common.api.scope_registry import (
     USER_DELETE,
     USER_PASSWORD_RESET,
     USER_READ,
-    USER_READ_OWN,
     USER_UPDATE,
 )
 from fides.common.api.v1 import urn_registry as urls
@@ -111,37 +107,6 @@ def _validate_current_user(user_id: str, user_from_token: FidesUser) -> None:
         )
 
 
-def verify_user_read_scopes(
-    authorization: str = Security(oauth2_scheme),
-    db: Session = Depends(get_db),
-) -> ClientDetail:
-    """
-    Custom dependency that verifies the user has either USER_READ or USER_READ_OWN scope.
-    Returns the client if authorized.
-    """
-    token_data, client = extract_token_and_load_client(authorization, db)
-
-    # Try USER_READ first
-    if has_permissions(
-        token_data=token_data,
-        client=client,
-        endpoint_scopes=SecurityScopes([USER_READ]),
-    ):
-        return client
-
-    if has_permissions(
-        token_data=token_data,
-        client=client,
-        endpoint_scopes=SecurityScopes([USER_READ_OWN]),
-    ):
-        return client
-
-    raise HTTPException(
-        status_code=HTTP_403_FORBIDDEN,
-        detail="Not authorized.",
-    )
-
-
 @router.put(
     urls.USER_DETAIL,
     dependencies=[Security(verify_oauth_client)],
@@ -533,38 +498,14 @@ def delete_user(
 
 @router.get(
     urls.USER_DETAIL,
-    dependencies=[Security(verify_user_read_scopes)],
+    dependencies=[Security(verify_oauth_client, scopes=[USER_READ])],
     response_model=UserResponse,
 )
-def get_user(
-    *,
-    db: Session = Depends(get_db),
-    user_id: str,
-    client: ClientDetail = Security(verify_user_read_scopes),
-    authorization: str = Security(oauth2_scheme),
-) -> FidesUser:
-    """Returns a User based on an Id. Users with USER_READ_OWN scope can only access their own data."""
+def get_user(*, db: Session = Depends(get_db), user_id: str) -> FidesUser:
+    """Returns a User based on an Id"""
     user: Optional[FidesUser] = FidesUser.get_by_key_or_id(db, data={"id": user_id})
     if user is None:
         raise HTTPException(status_code=HTTP_404_NOT_FOUND, detail="User not found")
-    token_data, _ = extract_token_and_load_client(authorization, db)
-    # Check if user has USER_READ_OWN scope and is trying to access someone else's data
-    # The verify_user_read_scopes dependency already verified the user has either USER_READ or USER_READ_OWN
-    # We need to check if they have USER_READ_OWN and are accessing their own data
-    if has_permissions(
-        token_data=token_data,
-        client=client,
-        endpoint_scopes=SecurityScopes([USER_READ]),
-    ):
-        logger.debug("Returning user with id: '{}'.", user_id)
-        return user
-
-    # User has USER_READ_OWN scope, check if they're accessing their own data
-    if user.id != client.user_id:
-        raise HTTPException(
-            status_code=HTTP_403_FORBIDDEN,
-            detail="You can only access your own user data with USER_READ_OWN scope.",
-        )
 
     logger.debug("Returning user with id: '{}'.", user_id)
     return user
@@ -572,7 +513,7 @@ def get_user(
 
 @router.get(
     urls.USERS,
-    dependencies=[Security(verify_user_read_scopes)],
+    dependencies=[Security(verify_oauth_client, scopes=[USER_READ])],
     response_model=Page[UserResponse],
 )
 def get_users(
@@ -580,28 +521,11 @@ def get_users(
     db: Session = Depends(get_db),
     params: Params = Depends(),
     username: Optional[str] = None,
-    client: ClientDetail = Security(verify_user_read_scopes),
-    authorization: str = Security(oauth2_scheme),
 ) -> AbstractPage[FidesUser]:
-    """Returns a paginated list of users. Users with USER_READ_OWN scope only see their own data."""
+    """Returns a paginated list of all users"""
     query = FidesUser.query(db)
-
-    # Check if user has USER_READ_OWN scope and filter accordingly
-    # The verify_user_read_scopes dependency already verified the user has either USER_READ or USER_READ_OWN
-    token_data, _ = extract_token_and_load_client(authorization, db)
-    if has_permissions(
-        token_data=token_data,
-        client=client,
-        endpoint_scopes=SecurityScopes([USER_READ]),
-    ):
-        # User has USER_READ scope, can see all users
-        if username:
-            query = query.filter(FidesUser.username.ilike(f"%{escape_like(username)}%"))
-    else:
-        # User has USER_READ_OWN scope, only show their own data
-        query = query.filter(FidesUser.id == client.user_id)
-        if username:
-            query = query.filter(FidesUser.username.ilike(f"%{escape_like(username)}%"))
+    if username:
+        query = query.filter(FidesUser.username.ilike(f"%{escape_like(username)}%"))
 
     logger.debug("Returning a paginated list of users.")
 

fides/api/db/base.py

@@ -33,7 +33,6 @@ from fides.api.models.identity_salt import IdentitySalt
 from fides.api.models.location_regulation_selections import LocationRegulationSelections
 from fides.api.models.manual_task import (
     ManualTask,
-    ManualTaskConditionalDependency,
     ManualTaskConfig,
     ManualTaskConfigField,
     ManualTaskInstance,

fides/api/graph/execution.py

@@ -1,7 +1,6 @@
 from typing import Any, Callable, Dict, List, Optional, Set, Tuple
 
 from fideslang.validation import FidesKey
-from loguru import logger
 
 from fides.api.graph.config import (
     Collection,
@@ -118,8 +117,6 @@ class ExecutionNode(Contextualizable):  # pylint: disable=too-many-instance-attr
         The values are cast based on field types, if those types are specified.
         """
         out = {}
-        failed_conversions: Dict[str, Dict[str, Any]] = {}
-
         for key, values in input_data.items():
             path: FieldPath = FieldPath.parse(key)
             field: Optional[Field] = self.collection.field(path)
@@ -129,31 +126,4 @@ class ExecutionNode(Contextualizable):  # pylint: disable=too-many-instance-attr
                 filtered = list(filter(lambda x: x is not None, cast_values))
                 if filtered:
                     out[key] = filtered
-                elif values:  # Had input values but all failed conversion
-                    # Track conversion failures for logging
-                    failed_conversions[key] = {"field": field, "input_values": values}
-
-        # Log conversion failures if any occurred
-        if failed_conversions:
-            field_details = []
-            for field_name, failure_info in failed_conversions.items():
-                field = failure_info["field"]
-                values = failure_info["input_values"]
-
-                expected_type = field.data_type() if field else "unknown"
-                actual_types = {type(v).__name__ for v in values if v is not None}
-                actual_type_str = (
-                    ", ".join(sorted(actual_types)) if actual_types else "NoneType"
-                )
-
-                field_details.append(
-                    f"{field_name} (expected: {expected_type}, got: {actual_type_str})"
-                )
-
-            logger.warning(
-                "Type conversion failures for {}: {}",
-                self.address,
-                "; ".join(field_details),
-            )
-
         return out

fides/api/models/{manual_task/manual_task.py → manual_task.py}

@@ -26,9 +26,6 @@ from fides.api.schemas.base_class import FidesSchema
 if TYPE_CHECKING:
     from fides.api.models.attachment import Attachment
     from fides.api.models.fides_user import FidesUser
-    from fides.api.models.manual_task.conditional_dependency import (
-        ManualTaskConditionalDependency,
-    )
 
 # ------------------------------------------------------------
 # Enums
@@ -245,13 +242,6 @@ class ManualTask(Base):
         viewonly=True,  # No cascade delete - submissions are historical data
     )
 
-    conditional_dependencies = relationship(
-        "ManualTaskConditionalDependency",
-        back_populates="task",
-        uselist=True,
-        cascade="all, delete-orphan",
-    )
-
     # Properties
     @property
     def assigned_users(self) -> list[str]:

fides/api/oauth/roles.py

@@ -47,7 +47,6 @@ from fides.common.api.scope_registry import (
     SYSTEM_READ,
     USER_PERMISSION_ASSIGN_OWNERS,
     USER_READ,
-    USER_READ_OWN,
     WEBHOOK_READ,
 )
 
@@ -127,7 +126,6 @@ viewer_scopes = [  # Intentionally omitted USER_PERMISSION_READ and PRIVACY_REQU
 
 respondent_scopes = [
     PRIVACY_REQUEST_MANUAL_STEPS_RESPOND,  # allows respondents to respond to assigned manual steps
-    USER_READ_OWN,
 ]
 
 external_respondent_scopes = [

fides/api/schemas/application_config.py

@@ -11,14 +11,6 @@ from fides.api.schemas.messaging.messaging import MessagingServiceType
 from fides.config.admin_ui_settings import ErrorNotificationMode
 
 
-class SqlDryRunMode(str, Enum):
-    """SQL dry run mode for controlling execution of SQL statements in privacy requests"""
-
-    none = "none"
-    access = "access"
-    erasure = "erasure"
-
-
 class StorageTypeApiAccepted(Enum):
     """Enum for storage destination types accepted in API updates"""
 
@@ -70,9 +62,7 @@ class ExecutionApplicationConfig(FidesSchema):
     subject_identity_verification_required: Optional[bool] = None
     disable_consent_identity_verification: Optional[bool] = None
     require_manual_request_approval: Optional[bool] = None
-    sql_dry_run: Optional[SqlDryRunMode] = None
-
-    model_config = ConfigDict(use_enum_values=True, extra="forbid")
+    model_config = ConfigDict(extra="forbid")
 
 
 class AdminUIConfig(FidesSchema):

fides/api/service/connectors/base_connector.py

@@ -82,7 +82,6 @@ class BaseConnector(Generic[DB_CONNECTOR_TYPE], ABC):
         privacy_request: PrivacyRequest,
         request_task: RequestTask,
         rows: List[Row],
-        input_data: Optional[Dict[str, List[Any]]] = None,
     ) -> int:
         """Execute a masking request. Return the number of rows that have been updated
 

fides/api/service/connectors/bigquery_connector.py

@@ -1,8 +1,13 @@
-from typing import Any, Dict, List, Optional
+from typing import List, Optional
 
 from loguru import logger
 from sqlalchemy import text
-from sqlalchemy.engine import Connection, Engine, create_engine  # type: ignore
+from sqlalchemy.engine import (  # type: ignore
+    Connection,
+    Engine,
+    LegacyCursorResult,
+    create_engine,
+)
 from sqlalchemy.orm import Session
 from sqlalchemy.sql import Executable  # type: ignore
 from sqlalchemy.sql.elements import TextClause
@@ -12,7 +17,6 @@ from fides.api.graph.execution import ExecutionNode
 from fides.api.models.connectionconfig import ConnectionTestStatus
 from fides.api.models.policy import Policy
 from fides.api.models.privacy_request import PrivacyRequest, RequestTask
-from fides.api.schemas.application_config import SqlDryRunMode
 from fides.api.schemas.connection_configuration.connection_secrets_bigquery import (
     BigQuerySchema,
 )
@@ -95,16 +99,6 @@ class BigQueryConnector(SQLConnector):
         logger.info(
             f"Executing {len(partition_clauses)} partition queries for node '{query_config.node.address}' in DSR execution"
         )
-
-        if self.should_dry_run(SqlDryRunMode.access):
-            for partition_clause in partition_clauses:
-                existing_bind_params = stmt.compile().params
-                partitioned_stmt = text(
-                    f"{stmt} AND ({text(partition_clause)})"
-                ).params(existing_bind_params)
-                logger.warning(f"SQL DRY RUN - Would execute SQL: {partitioned_stmt}")
-            return []
-
         rows = []
         for partition_clause in partition_clauses:
             logger.debug(
@@ -141,39 +135,6 @@ class BigQueryConnector(SQLConnector):
             logger.exception(f"Error testing connection to remote BigQuery {str(e)}")
             raise ConnectionException(f"Connection error: {e}")
 
-    def _execute_statements_with_sql_dry_run(
-        self,
-        statements: List[Executable],
-        sql_dry_run_enabled: bool,
-        client: Engine,
-    ) -> int:
-        """
-        Execute SQL statements with sql_dry_run support.
-
-        Args:
-            statements: List of SQL statements to execute
-            sql_dry_run_enabled: Whether sql_dry_run mode is enabled
-            client: Database engine
-
-        Returns:
-            int: Number of affected rows (0 in sql_dry_run mode)
-        """
-        if not statements:
-            return 0
-
-        if sql_dry_run_enabled:
-            for stmt in statements:
-                logger.warning(f"SQL DRY RUN - Would execute SQL: {stmt}")
-            return 0
-
-        row_count = 0
-        with client.connect() as connection:
-            for stmt in statements:
-                results = connection.execute(stmt)
-                logger.debug(f"Affected {results.rowcount} rows")
-                row_count += results.rowcount
-        return row_count
-
     def mask_data(
         self,
         node: ExecutionNode,
@@ -181,31 +142,22 @@ class BigQueryConnector(SQLConnector):
         privacy_request: PrivacyRequest,
         request_task: RequestTask,
         rows: List[Row],
-        input_data: Optional[Dict[str, List[Any]]] = None,
     ) -> int:
         """Execute a masking request. Returns the number of records updated or deleted"""
-
         query_config = self.query_config(node)
         update_or_delete_ct = 0
         client = self.client()
-
-        if query_config.uses_delete_masking_strategy():
-            delete_stmts = query_config.generate_delete(client, input_data or {})
-            logger.debug(f"Generated {len(delete_stmts)} DELETE statements")
-            update_or_delete_ct += self._execute_statements_with_sql_dry_run(
-                delete_stmts, self.should_dry_run(SqlDryRunMode.erasure), client
-            )
-        else:
-            for row in rows:
-                update_or_delete_stmts: List[Executable] = query_config.generate_update(
-                    row, policy, privacy_request, client
-                )
-                logger.debug(
-                    f"Generated {len(update_or_delete_stmts)} UPDATE statements"
-                )
-                update_or_delete_ct += self._execute_statements_with_sql_dry_run(
-                    update_or_delete_stmts,
-                    self.should_dry_run(SqlDryRunMode.erasure),
-                    client,
+        for row in rows:
+            update_or_delete_stmts: List[Executable] = (
+                query_config.generate_masking_stmt(
+                    node, row, policy, privacy_request, client
                 )
+            )
+            if update_or_delete_stmts:
+                with client.connect() as connection:
+                    for update_or_delete_stmt in update_or_delete_stmts:
+                        results: LegacyCursorResult = connection.execute(
+                            update_or_delete_stmt
+                        )
+                        update_or_delete_ct = update_or_delete_ct + results.rowcount
         return update_or_delete_ct

fides/api/service/connectors/dynamodb_connector.py

@@ -140,9 +140,8 @@ class DynamoDBConnector(BaseConnector[Any]):  # type: ignore
         privacy_request: PrivacyRequest,
         request_task: RequestTask,
         rows: List[Row],
-        input_data: Optional[Dict[str, List[Any]]] = None,
     ) -> int:
-        """Execute a masking request for DynamoDB"""
+        """Execute a masking requestfor DynamoDB"""
 
         query_config = self.query_config(node)
         collection_name = node.address.collection

fides/api/service/connectors/fides_connector.py

@@ -142,7 +142,6 @@ class FidesConnector(BaseConnector[FidesClient]):
         privacy_request: PrivacyRequest,
         request_task: RequestTask,
         rows: List[Row],
-        input_data: Optional[Dict[str, List[Any]]] = None,
     ) -> int:
         """Execute an erasure request on remote fides"""
         identity_data = {

fides/api/service/connectors/http_connector.py

@@ -90,7 +90,6 @@ class HTTPSConnector(BaseConnector[None]):
         privacy_request: PrivacyRequest,
         request_task: RequestTask,
         rows: List[Row],
-        input_data: Optional[Dict[str, List[Any]]] = None,
     ) -> int:
         """Currently not supported as webhooks are not called at the collection level"""
         raise NotImplementedError(

fides/api/service/connectors/manual_task_connector.py

@@ -80,7 +80,6 @@ class ManualTaskConnector(BaseConnector):
         privacy_request: PrivacyRequest,
         request_task: RequestTask,
         rows: List[Row],
-        input_data: Optional[Dict[str, List[Any]]] = None,
     ) -> int:
         """
         Manual tasks don't support erasure operations.

fides/api/service/connectors/manual_webhook_connector.py

@@ -1,4 +1,4 @@
-from typing import Any, Dict, List, Optional
+from typing import Any, Dict, List
 
 from fides.api.graph.execution import ExecutionNode
 from fides.api.models.connectionconfig import ConnectionConfig, ConnectionTestStatus
@@ -53,7 +53,6 @@ class ManualWebhookConnector(BaseConnector[None]):
         privacy_request: PrivacyRequest,
         request_task: RequestTask,
         rows: List[Row],
-        input_data: Optional[List[List[Row]]] = None,
     ) -> None:
         """
         Not applicable for a manual webhook.  Manual webhooks are not called as part of the traversal.

fides/api/service/connectors/mongodb_connector.py

@@ -126,7 +126,6 @@ class MongoDBConnector(BaseConnector[MongoClient]):
         privacy_request: PrivacyRequest,
         request_task: RequestTask,
         rows: List[Row],
-        input_data: Optional[Dict[str, List[Any]]] = None,
     ) -> int:
         """Execute a masking request"""
         query_config = self.query_config(node)

fides/api/service/connectors/okta_connector.py

@@ -82,7 +82,6 @@ class OktaConnector(BaseConnector):
         privacy_request: PrivacyRequest,
         request_task: RequestTask,
         rows: List[Row],
-        input_data: Optional[Dict[str, List[Any]]] = None,
     ) -> int:
         """DSR execution not supported for Okta connector"""
         return 0

fides/api/service/connectors/query_configs/bigquery_query_config.py

@@ -3,7 +3,7 @@ from typing import Any, Dict, List, Optional, Union, cast
 import pydash
 from fideslang.models import MaskingStrategies
 from loguru import logger
-from sqlalchemy import MetaData, Table, or_, text
+from sqlalchemy import MetaData, Table, text
 from sqlalchemy.engine import Engine
 from sqlalchemy.sql import Delete, Update
 from sqlalchemy.sql.elements import ColumnElement, TextClause
@@ -125,7 +125,6 @@ class BigQueryQueryConfig(QueryStringWithoutTuplesOverrideQueryConfig):
         policy: Policy,
         request: PrivacyRequest,
         client: Engine,
-        input_data: Optional[Dict[str, List[Any]]] = None,
     ) -> Union[List[Update], List[Delete]]:
         """
         Generate a masking statement for BigQuery.
@@ -138,7 +137,7 @@ class BigQueryQueryConfig(QueryStringWithoutTuplesOverrideQueryConfig):
             logger.info(
                 f"Masking override detected for collection {node.address.value}: {masking_override.strategy.value}"
             )
-            return self.generate_delete(client, input_data or {})
+            return self.generate_delete(row, client)
         return self.generate_update(row, policy, request, client)
 
     def generate_update(
@@ -219,30 +218,27 @@ class BigQueryQueryConfig(QueryStringWithoutTuplesOverrideQueryConfig):
 
         return [table.update().where(*where_clauses).values(**final_update_map)]
 
-    def generate_delete(
-        self,
-        client: Engine,
-        input_data: Optional[Dict[str, List[Any]]] = None,
-    ) -> List[Delete]:
-        """
-        Returns a List of SQLAlchemy DELETE statements for BigQuery. Does not actually execute the delete statement.
+    def generate_delete(self, row: Row, client: Engine) -> List[Delete]:
+        """Returns a List of SQLAlchemy DELETE statements for BigQuery. Does not actually execute the delete statement.
 
         Used when a collection-level masking override is present and the masking strategy is DELETE.
 
         A List of multiple DELETE statements are returned for partitioned tables; for a non-partitioned table,
         a single DELETE statement is returned in a List for consistent typing.
-        """
 
-        if not input_data:
-            logger.warning(
-                "No input data provided for node '{}', skipping DELETE statement generation",
-                self.node.address,
-            )
-            return []
+        TODO: DRY up this method and `generate_update` a bit
+        """
 
-        filtered_data = self.node.typed_filtered_values(input_data)
+        non_empty_reference_field_keys: Dict[str, Field] = filter_nonempty_values(
+            {
+                fpath.string_path: fld.cast(row[fpath.string_path])
+                for fpath, fld in self.reference_field_paths.items()
+                if fpath.string_path in row
+            }
+        )
 
-        if not filtered_data:
+        valid = len(non_empty_reference_field_keys) > 0
+        if not valid:
             logger.warning(
                 "There is not enough data to generate a valid DELETE statement for {}",
                 self.node.address,
@@ -250,17 +246,9 @@ class BigQueryQueryConfig(QueryStringWithoutTuplesOverrideQueryConfig):
             return []
 
         table = Table(self._generate_table_name(), MetaData(bind=client), autoload=True)
-
-        # Build individual reference clauses
-        where_clauses: List[ColumnElement] = []
-        for column_name, values in filtered_data.items():
-            if len(values) == 1:
-                where_clauses.append(getattr(table.c, column_name) == values[0])
-            else:
-                where_clauses.append(getattr(table.c, column_name).in_(values))
-
-        # Combine reference clauses with OR instead of AND
-        combined_reference_clause = or_(*where_clauses)
+        where_clauses: List[ColumnElement] = [
+            getattr(table.c, k) == v for k, v in non_empty_reference_field_keys.items()
+        ]
 
         if self.partitioning:
             partition_clauses = self.get_partition_clauses()
@@ -271,25 +259,12 @@ class BigQueryQueryConfig(QueryStringWithoutTuplesOverrideQueryConfig):
 
             for partition_clause in partition_clauses:
                 partitioned_queries.append(
-                    table.delete()
-                    .where(combined_reference_clause)
-                    .where(text(partition_clause))
+                    table.delete().where(*(where_clauses + [text(partition_clause)]))
                 )
 
             return partitioned_queries
 
-        return [table.delete().where(combined_reference_clause)]
-
-    def uses_delete_masking_strategy(self) -> bool:
-        """Check if this collection uses DELETE masking strategy.
-
-        Returns True if masking override is present and strategy is DELETE.
-        """
-        masking_override = self.node.collection.masking_strategy_override
-        return (
-            masking_override is not None
-            and masking_override.strategy == MaskingStrategies.DELETE
-        )
+        return [table.delete().where(*where_clauses)]
 
     def format_fields_for_query(
         self,