When you configure a data access control policy to grant data access permissions to a user in a source system, bear in mind that different platforms apply the policy permissions in different ways.
The following table lists the permissions that you can configure in a data access control policy and the corresponding permissions that the policy enables in source systems:
Source System
Read Equivalent
Write Equivalent
Delete Equivalent
Amazon Redshift
select
insert
update
delete
Amazon S3
s3:GetObject
s3:ListBucket
s3:PutObject
s3:RestoreObject
s3:AbortMultipartUpload
s3:ListMultipartUploadParts
s3:DeleteObject
Databricks
select
modify
(not applicable)
Google BigQuery
bigquery.tables.getData
bigquery.tables.updateData (grants insert, update, and delete)
bigquery.tables.updateData (grants insert, update, and delete)
Microsoft Fabric Data Lakehouse
select
insert
update
delete
Microsoft Fabric Data Warehouse
select
insert
update
delete
Microsoft Power BI
For Power BI workspaces: Viewer role
For Power BI data sets: Viewer role
For Power BI workspaces: Contributor role
Not applicable for Power BI data sets
(not applicable)
Snowflake
select
insert
update
delete
Tableau
view template
For Tableau projects: publish template
For Tableau workbooks: download, edit, overwrite, save as
For Tableau data sources: download, overwrite, save as
For Tableau data sheets: download, edit
delete (not applicable for Tableau projects)
Configuration guidelines
Consider the following guidelines when you configure data access control policy permissions:
General guidelines
Consider the following general guidelines when you configure data access control policy permissions:
•Because views are read-only objects, a source system ignores permissions other than read when a policy applies to a view.
•The delete permission doesn't apply to Databricks or Microsoft Power BI. If you select the delete permission, you don't grant any permission.
Databricks
Consider the following guidelines when you configure data access control policy permissions for Databricks:
•The Databricks modify permission grants write and delete access. If you grant write permission to a Databricks object, you also implicitly grant the delete permission.
•For the Databricks Unity and Hive catalog types, Data Governance and Catalog grants user permissions to catalogs and schemas.
•The Data Access Management Agent service skips any sample tables and system tables when trying to enforce data access control policies. This is because you can't manage sample tables and system tables unless you use an account admin in the connection.
Google BigQuery
Consider the following guidelines when you configure data access control policy permissions for Google BigQuery:
•Users who read data in views need the select permission on their sources.
•Users need select permission in addition to insert, update, and delete.
Microsoft Power BI
Consider the following guidelines when you configure data access control policy permissions for Microsoft Power BI:
•If a data access control policy grants read access to a data set, users have access to all tables in the data set.
•Data filter policies apply to users who have the Viewer role. Any users with other Power BI roles will see all data.
•The Contributor role grants write and delete access to workspace objects. If you grant write permission to a Microsoft Power BI workspace object, you also implicitly grant the delete permission.
Microsoft Fabric Data Warehouse
Users need read access in addition to delete access to delete a table or view.
Snowflake
For Snowflake catalogs, Data Governance and Catalog grants user permissions to databases and schemas.