When you configure a data access control policy to grant data access permissions to a user in a source system, bear in mind that different platforms apply the policy permissions in different ways.
The following table lists the permissions that you can configure in a data access control policy and the corresponding permissions that the policy enables in source systems:
Source System
read
write
delete
Amazon Redshift
select
insert
update
delete
Amazon S3
s3:GetObject
s3:ListBucket
s3:PutObject
s3:RestoreObject
s3:AbortMultipartUpload
s3:ListMultipartUploadParts
s3:DeleteObject
Databricks
select
modify
(not applicable)
Google BigQuery
bigquery.tables.getData
bigquery.tables.updateData (grants insert, update and delete)
bigquery.tables.updateData (grants insert, update and delete)
Microsoft Fabric Data Lakehouse
select
insert
update
delete
Microsoft Fabric Data Warehouse
select
insert
update
delete
Microsoft Power BI
For Power BI workspaces: Viewer role
For Power BI data sets: Viewer role
For Power BI workspaces: Contributor role
Not applicable for Power BI data sets
(not applicable)
Snowflake
select
insert
update
delete
Tableau
view template
For Tableau projects: publish template
For Tableau workbooks: download, edit, overwrite, save as
For Tableau data sources: download, overwrite, save as
For Tableau data sheets: download, edit
delete (not applicable for Tableau projects)
Guidelines
Note the following guidelines when you configure data access control policy permissions:
General
•Because views are read-only objects, a source system ignores permissions other than read when a policy applies to a view.
•The delete permission doesn't apply to Databricks or Microsoft Power BI. If you select the delete permission, you don't grant any permission.
Databricks
•The Databricks modify permission grants write and delete access. If you grant write permission to a Databricks object, you also implicitly grant the delete permission.
•For the Databricks Unity and Hive catalog types, Data Access Management grants user permissions to catalogs and schemas.
•Sample tables and system tables cannot be managed unless an account admin can be used, which we do not recommend as a minimum permission. The Secure Agent will fail any sample tables and system tables.
Google BigQuery
•Users who read data in views need the select permission on their sources.
•Users need select permission in addition to insert, update, and delete.
Microsoft Power BI
•If a data access control policy grants read access to a data set, users have access to all tables in that data set.
•Data filter policies only apply for users who have the Viewer role. Any users with other Power BI roles will see all data.
•The Contributor role grants write and delete access to workspace objects. If you grant write permission to a Microsoft Power BI workspace object, you also implicitly grant the delete permission.
Microsoft Fabric Data Warehouse
Users must have read access in addition to delete access in order to delete a table or view.
Snowflake
For Snowflake catalogs, Data Access Management grants user permissions to databases and schemas.