You create data access control rules to grant read, write, or delete access to tables or views in a cloud data platform, also called a source system for a set of user groups that you specify.
1Open a data access control policy and select the Rules tab.
2 Click the plus sign.
The Rule Overview page appears.
3Enter a name and description for the rule.
4Click Next.
The Rule tab appears. On this tab, you specify the conditions under which Data Access Management will grant read, write, or delete access to tables or views in a source system.
The following image shows the Rule tab:
5In the Conditions section, select a user group, an operator, and a value.
6You can choose from the list of known user groups in IDMC if those are the same user groups used in your cloud data platform, or you can add a user group as a custom value. If you add a custom value, enter the name of the role or the account group to which the permissions will be granted.
Note: Some catalog sources like Snowflake have case-sensitive role names. If the rule references Snowflake and another cloud data platform's assets, treat the role name or group name as case sensitive.
7Optionally, click the plus sign again to add another user group.
You can now add access control filters.
Assigning permissions to source systems
Once you create conditions in a data access control rule, you then assign permissions to data assets by creating access control filters. You then save the data access control rule to data access control policies.
1In the Access Controls section, Click New Row.
The following image shows the Access Controls section of the Rule tab:
2Click Add Filter to select one or more catalog source types and data assets.
The Add Filter window appears.
The following image shows the Add Filter window:
3Enter a search query to find the data assets for which you want to grant permissions.
The Preview section shows the current results of the query. The Asset Type and Catalog Source Type filters are pre-populated. Adjust these filters and your search query to refine the results as needed.
Note: Data Access Management only supports specific catalog source types.
Note the following about query results:
- The preview returns results based on currently accessible metadata. This might change with the addition of other assets that match the filter query.
- We do not recommend using the universal wildcard * because grants access to all tables and views within the identified Data Governance and Catalog catalog source type.
- A single permission assignment has a limit of 2,000 assets. If your query results in more than 2,000 assets, you can partition your filter across multiple rules to reduce the number of assets in the query.
4Click Add Filter to return to the Access Controls section of the Rule tab.
5Click New Permission.
6Select any combination of Read, Write, and Delete. Read is selected by default.
Note: Because views are read-only objects, only read permissions will apply even if your rule offers write and delete permissions.
7Save the rule.
Your updates take effect when the policy associated with the rule is published.
If you do not have a workflow configured, this rule will change to published status.
If you have a workflow configured, this rule and its associated policy will change to draft status.
For more information about designing workflows, see Workflows in the Metadata Command Center help.
Note: You can monitor the process to push down the policy initiated by using the data access sync job type on the Monitor page in Metadata Command Center.
For more information about data access sync jobs, see Monitor data access jobs in the Metadata Command Center help.
