Shield check Feature - Policy Enforcement

Apply permissions on a logical grouping of folders, across your data lakes.

Group your tags, no matter where they point

Policies represent a business grouping of folders that represent a set of data to provide access for

Policies allow you to group your folders in ways that make sense for the business. The policy and tagging mechanisms work across all your registered data lakes and can provide access no matter where your data lives. Combine tags in creative ways to meet your access control demands.

Policies using tags across regions

Different policy types to meet business needs

AND Policies

This type of policy only includes folders which are tagged by every tag identified in the policy. Great for accomplishing granular access control. For example, let's say your and policy had the following tags:

  • department=finance
  • region=north_america
  • sensitivity=high

The corresponding and policy would only give access to finance data, in the north american region, and with high sensitivity.

OR Policies

This type of policy includes folder which are tagged with any of the tags identified in the policy. Useful for support or service principal type access. For example, let's say your or policy had the following tags:

  • region=north_america
  • region=europe

The corresponding or policy would give access to all data within both regions.

Select Your Policy Level

As with folder management, policies can be structured to grant only specific types of access to the target folders included in the policy. These policy levels are:

LevelEffectUse case
Read-only Only grants read-only access to the target folders. Useful for granting access for data scientists to existing data structures. Allow them to read data, tranform it locally, and write results to sandbox locations.
Write-only Only grants write-only access to the target folders. Useful for ingestion processes where write-only may be desired. This includes flat file loads from 3rd parties, for example.
Read-write Grants full access to the target folders. Useful for administrative purposes, sandbox folders, or service principal access.