To enable Data Access Management to push down data access control policies and data filter policies into your cloud data platform, complete the necessary configuration and authorization tasks.
The following table lists the types of data access policies that you can push down in each type of cloud data platform:
Cloud Data Platform Type
Data Access Policy Types
Amazon Redshift
Data access control policies
Databricks
Data access control policies
Microsoft Power BI
Data access control policies
Snowflake
Data access control policies and data filter policies
Once you configure your cloud data platform to support pushdown enforcement, you assign permissions to data assets.
Prerequisites for Amazon Redshift pushdown enforcement
You can enable Data Access Management to push down data access control policies into your Amazon Redshift cloud data platform.
Complete the following configuration and authorization tasks for your Amazon Redshift cloud data platform:
1Configure a catalog source.
For more information about configuring a catalog source for Amazon Redshift, see Amazon Redshift.
2Grant the following permissions to the connection associated with your Amazon Redshift cloud data platform:
grant create role to role [IDMC_USER_ROLE]; grant { { SELECT | INSERT | UPDATE | DELETE } [,...] | ALL [ PRIVILEGES ] } on [OBJECT_NAME] to { [IDMC_USER_ROLE] with grant option;
3To grant privileges on an object in Amazon Redshift, you must meet one of the following criteria:
- Be the object owner.
- Be a superuser.
- Have a grant privilege for that object and privilege.
For more information about configuring connection properties to connect to Amazon Redshift, see Connect to Amazon Redshift.
Note: If your organization uses an identity provider (IdP) and pushes data access policies to Amazon Redshift, you must add a custom property for the namespace that Amazon Redshift requires to the Data Access Management Agent service. This allows the Secure Agent to map the IDMC user groups in the data access policies into the IdP-based roles created in a namespace in Amazon Redshift.
You can enable Data Access Management to push down data access control policies into your Databricks cloud data platform.
Complete the following configuration and authorization tasks for your Databricks cloud data platform:
1Ensure that the user identified in the catalog source connection that pushes the policies has Databricks workspace admin privileges on the catalog source.
2Configure a catalog source.
Note: Use a personal access token to connect to your Databricks instance through Data Access Management.
For more information about configuring a catalog source for Databricks, see Register a catalog source.
Prerequisites for Microsoft Power BI pushdown enforcement
You can enable Data Access Management to push down data access control policies into your Microsoft Power BI cloud data platform.
Complete the following configuration and authorization tasks for your Microsoft Power BI cloud data platform:
1For each Microsoft Power BI workspace into which you want Data Access Management to push data access control policies, add the service principal as a member with the Admin permission.
4Grant the following permissions as the Application type to the connection associated with your Microsoft Power BI cloud data platform:
Group.Read.All GroupMember.Read.All
Note: You must click "Grant admin consent" in Microsoft Power BI to approve application permissions.
Prerequisites for Snowflake pushdown enforcement
You can enable Data Access Management to push down data access control policies and data filter policies into your Snowflake cloud data platform.
Complete the following configuration and authorization tasks for your Snowflake cloud data platform:
1Configure a catalog source.
For more information about configuring a catalog source for Snowflake, see Snowflake.
2Determine which types of data access policies you would like to enforce in your Snowflake cloud data platform. You can currently enforce data access control policies and data filter policies. Each requires different permissions.
3For use with data access control policies, grant the following permissions to the connection associated with your Snowflake cloud data platform:
GRANT MANAGE GRANTS ON ACCOUNT TO [IDMC_USER_ROLE]; GRANT CREATE ROLE ON ACCOUNT TO [IDMC_USER_ROLE];
4For use with data filter policies, your Snowflake account needs to be able to enforce Snowflake's row access policies.
To enforce row access policies, Data Access Management requires a Snowflake database to store the necessary objects. You can configure this database in any of the following ways:
- The Data Access Management Secure Agent service can create it automatically, if you grant it the following permission:
GRANT CREATE DATABASE ON ACCOUNT TO [IDMC_USER_ROLE];
- You can create the database yourself by creating a database with the name CDAM_INTERNAL_STATE and granting at a minimum the following permissions to the Snowflake role that you associate with the connection you create in IDMC:
GRANT USAGE ON CDAM_INTERNAL_STATE TO [IDMC_USER_ROLE]; GRANT CREATE ROW ACCESS POLICY ON SCHEMA "CDAM_INTERNAL_STATE"."PUBLIC" TO ROLE [IDMC_USER_ROLE];
For all databases for which you want to apply row access policies, grant the following permission:
GRANT USAGE ON DATABASE [DATABASE_NAME] TO ROLE [IDMC_USER_ROLE];
Regardless of who created the database, grant the following permission to the user in the connection:
GRANT APPLY ROW ACCESS POLICY ON ACCOUNT TO [IDMC_USER_ROLE];