When you configure a data access control policy to grant data access permissions to a user in a source system, bear in mind that different platforms apply the policy permissions in different ways.
The following table lists the permissions that you can configure in a data access control policy and the corresponding permissions that the policy enables in source systems:
Policy Permission in Data Access Management
read
write
delete
Amazon Redshift Permission
select
insert
update
delete
Amazon S3
s3:GetObject
s3:ListBucket
s3:PutObject
s3:RestoreObject
s3:AbortMultipartUpload
s3:ListMultipartUploadParts
s3:DeleteObject
Databricks Permission
select
modify
(not applicable)
Google BigQuery
select
insert
update
delete
insert
update
delete
Microsoft Fabric Data Lakehouse
select
insert
update
delete
Microsoft Fabric Data Warehouse
select
insert
update
delete
Microsoft Power BI Permission
For Power BI workspaces: Viewer role
For Power BI data sets: Viewer role
For Power BI workspaces: Contributor role
Not applicable for Power BI data sets
(not applicable)
Snowflake Permission
select
insert
update
delete
Tableau
view template
For Tableau projects: publish template
For Tableau workbooks: download, edit, overwrite, save as
For Tableau data sources: download, overwrite, save as
For Tableau data sheets: download, edit
delete (not applicable for Tableau projects)
Note the following guidelines when you configure data access control policy permissions:
•Because views are read-only objects, a source system ignores permissions other than read when a policy applies to a view.
•The delete permission doesn't apply to Databricks or Microsoft Power BI. If you select the delete permission, you don't grant any permission.
•The Databricks modify permission grants write and delete access. If you grant write permission to a Databricks object, you also implicitly grant the delete permission.
•For the Databricks Unity and Hive catalog types, Data Access Management grants user permissions to catalogs and schemas.
•For Databricks, sample tables and system tables cannot be managed unless an account admin can be used, which we do not recommend as a minimum permission. The Secure Agent will fail any sample tables and system tables.
•For Google BigQuery, users need to have select permission for all their sources to be able to read data in views.
•Google BigQuery, uses one permission for insert, update, and delete.
•For Google BigQuery, users need to have select permission in addtion to insert, update, and delete in order to perform these actions in tables.
•In Microsoft Power BI, if a data access control policy grants read access to a data set, users will have access to all tables in that data set.
•In Microsoft Power BI, data filter policies only apply for users who have the Viewer role. Any users with other Power BI roles will see all data.
•The Microsoft Power BI Contributor role grants write and delete access to workspace objects. If you grant write permission to a Microsoft Power BI workspace object, you also implicitly grant the delete permission.
•For Microsoft Fabric Data Warehouse, users must have read access in addition to delete access in order to delete a table or view.
•For Snowflake catalogs, Data Access Management grants user permissions to databases and schemas.