Feature - Policy Enforcement
Apply permissions on a logical grouping of folders, across your data lakes.
Group your tags, no matter where they point
Policies represent a business grouping of folders that represent a set of data to provide access for
Policies allow you to group your folders in ways that make sense for the business. The policy and tagging mechanisms work across all your registered data lakes and can provide access no matter where your data lives. Combine tags in creative ways to meet your access control demands.
Different policy types to meet business needs
AND Policies
This type of policy only includes folders which are tagged by every tag identified in the
policy. Great for accomplishing granular access control. For example, let's say your and
policy had the following tags:
- department=finance
- region=north_america
- sensitivity=high
The corresponding and
policy would only give access to finance data, in the north
american region, and with high sensitivity.
OR Policies
This type of policy includes folder which are tagged with any of the tags identified in the
policy. Useful for support or service principal type access. For example, let's say your or
policy had the following tags:
- region=north_america
- region=europe
The corresponding or
policy would give access to all data within both regions.
Select Your Policy Level
As with folder management, policies can be structured to grant only specific types of access to the target folders included in the policy. These policy levels are:
Level | Effect | Use case |
---|---|---|
Read-only | Only grants read-only access to the target folders. | Useful for granting access for data scientists to existing data structures. Allow them to read data, tranform it locally, and write results to sandbox locations. |
Write-only | Only grants write-only access to the target folders. | Useful for ingestion processes where write-only may be desired. This includes flat file loads from 3rd parties, for example. |
Read-write | Grants full access to the target folders. | Useful for administrative purposes, sandbox folders, or service principal access. |