Treasure Data includes two distinct solutions to help administrators and database owners control who can view, access, and manage databases in the Treasure Data Platform: 

  • Database Access (Legacy)
  • Policy-based Database Permissions

Policy-based database permission is a special feature that allows more granular database access and easier implementation. The following is a high-level workflow of the two solutions.


Database Access (Legacy)

This legacy solution permits database access at the user level. Users can grant others permissions for databases that they created. The database access (legacy) function supports the following types of database access:

  • Import Only: The user can import data to the database.
  • Query Only: The user can view and run queries against the database.
  • Full Access: The user can perform any operation against the database.

For more information, see Setting Database Permissions (Legacy).

Policy-based Database Permissions

Policy-based permissions (PBP) for databases is a feature that lets you take advantage of more granular-level permissions and easier implementation. Unlike database access (legacy) permissions which are administered at the user level, policy-based database permissions are administered at the policy level. Only administrators can create and manage policies for database permissions and then apply those policies to users.

Administrators must grant themselves Full Access permission by creating a policy and assigning it to themselves.


Policy-based database permissions include most of the database access (legacy) permissions*:

  • Full Access: The user can create new and manage and delete all databases in the account.
  • Limited Access: The user has access to one or more databases with specific permissions:
    • Manage Own: The user can create, manage, and delete the databases they created.
    • Download: The user can download data for any database to which they have access.
    • General Access: The user can access a specific database and work with database tables.
    • Query-only: The user can only query the database that the administrator has granted permission.
    • Import-only: The user can create tables and import data to a database table.

*Policy-based database permissions inherit Query-only, Import-only, and General Access from legacy database permissions.

After the policy-based database permission feature is enabled, managing access control at the user level is no longer available. You cannot revert to the previous database access (legacy) model.

For more information, see Setting Policy-based Database Permissions in TD Console.

  • No labels