Data Access Management > Data access policies > Creating data access control rules
  

Creating data access control rules

You create data access control rules to grant read, write, or delete access to tables or views in a cloud data platform, also called a source system for a set of user groups that you specify.
    1Open a data access control policy and select the Rules tab.
    2 Click the plus sign.
    The Rule Overview page appears.
    3Enter a name and description for the rule.
    4Click Next.
    The Rule tab appears. On this tab, you specify the conditions under which Data Access Management will grant read, write, or delete access to tables or views in a source system.
    The following image shows the Rule tab:
    The image shows the Conditions section of the Rules tab. The Conditions section has one condition defined as "User Group is any of HR Team." "Back," "Save," and "X" buttons appear at the top of the page.
    5In the Conditions section, select a user group, an operator, and a value.
    6You can choose from the list of known user groups in IDMC, if those are the same used in your cloud data platform, or you can add a user group as a custom value. If you add a custom value, enter the name of the Snowflake role or the Databricks account group to which the permissions will be granted.
    Note: Snowflake role names are case sensitive. Databricks group names are not case sensitive. If the rule will reference both Snowflake and Databricks assets, treat the group name as case sensitive.
    7Optionally, click the plus sign again to add another user group.
    You can now add access control filters.

Assigning permissions to source systems

Once you create conditions in a data access control rule, you then assign permissions to data assets by creating access control filters. You then save the data access control rule to data access control policies.
    1In the Access Controls section, Click New Row.
    The following image shows the Access Controls section of the Rule tab:
    The image shows the Access Controls section of the Rules tab, which has one access control filter defined as "employee, Catalog Source Type: Databricks, Asset Type: Table" with the permissions of Read, Write, and Delete. "Back," "Save," and "X" buttons appear at the top of the page.
    2Click Add Filter to select one or more catalog source types and data assets.
    The Add Filter window appears.
    The following image shows the Add Filter window:
    The image shows the Add Filter window. The user has entered the word "employees" in the search bar. The results of that query display, which include tables and views that include the word "employees." Details of the selected table appear on the right of the window. In the Filter section, under Catalog Source Type, the user has selected "Databricks." Under Asset Type, the user has selected "Table" and "View." "Add Filter" and "Cancel" buttons appear at the bottom of the window.
    3Enter a search query to find the data assets that you want to grant permissions to.
    The Preview section shows the current results of that query. Adjust your search query to refine the results as needed.
    Note: A single permission assignment has a limit of 2,000 assets. If your query results in more than 2,000 assets, please partition your filter across multiple rules to reduce the number of assets in the query.
    Note: We do not recommend using the universal wildcard "*" because it will grant access to all tables and views within the identified Data Governance and Catalog catalog source type.
    4Click the Filter icon.
    5Click Add Filter, and select Catalog Source Type.
    Note: Data Access Management only supports specific catalog source types.
    6Select one or more catalog source types.
    7Click Add Filter again, and select Asset Type.
    8Select one or more asset types.
    9Click Add Filter to return to the Access Controls section of the Rule tab.
    10Click New Permission.
    11Select any combination of Read, Write, and Delete.
    Note: Because views are read-only objects, only read permission will apply even if your rule offers write and delete permissions.
    12Save the rule.
    Your updates take effect when you publish the policy associated with the rule.
    Note: You can monitor whether the process to push down the policy initiated by using data access sync job type on the Monitor page in Metadata Command Center. To learn more, see "Monitor data access synchronization jobs" in Administration in the Metadata Command Center help.