When you create policy-based column-level access control permissions, you define access control for specific columns and then assign the policy to specific users. You must have the policy-based Column-level Access Control feature enabled to create these permissions.

Understanding Tag-based Permission for Columns

  • Before we begin to configure the policy, it's important to understand the different types of column accessibility and their definitions. There are three types of column accessibilities a user can define with tags:

    • None - The user cannot see the column nor query the column

    • View - The user can see the column

    • Masked - The user sees the column with hashed values, and they can query it

  • Accessibility is assigned to a tag in the policy. This means that all columns that are annotated with the tag inherit the accessibility assigned to the tag. For example, if the PII tag is assigned with accessibility None, all columns tagged with the PII tag will have "None" as the accessibility for the user who is assigned with the policy.

  • A policy always has the initial setting of “None” for the default column accessibility. A user can change the default accessibility to View. Default accessibility setting determines the accessibility of:

    • The initial state of all columns

    • New columns & untagged columns

This topic includes:

Enabling Policy-based Column-level Access Control

You must have the policy-based Column-level Access Control feature. Contact your Customer Success representative about enabling this feature. After enabling the feature, Treasure Data automatically creates a new permissions policy "Columns full" and applies it to all existing users. This ensures that all existing users have access to all columns as the initial state. The administrator can then remove users from the "Columns full" policy and assign other column-level access control permissions with new policies.  

Principles for  Configuring Column-level Permissions

When creating a column-level access control policy, the administrators need to think about the following:

  • What is the desired goal? Is this policy's main objective to allow or prevent access to column data?
  • What is the policy default accessibility? Does it make more sense to start with no access (None) or view access (View) for all tags?
  • Which columns does the policy provide or prevent access?

For example, if the desired goal is to block access to columns with specific tags, it’s recommended to do the following:

  1. Start by updating the default accessibility to View.
  2. Reset the accessibility for all tags to View by selecting Reset all tags to default.
    All accessibility settings for existing policy tags are set to View.  This setting implies that the user assigned with this policy has viewing access to all columns, including those tagged columns.

With the previous configuration, the administrator can then set specific tags with accessibility to None.

Review Common Scenarios of Configuring Column-level Permissions before creating your first column-level permissions policy.

Create a Policy-based Permission

1. Open TD Console.
2. Navigate to Control Panel > Policies.
3. Select Actions > Create Policy.
4. Enter a descriptive name for your policy and optionally include a description.
5. Select Save.
6. Select Permissions and scroll to the bottom of the panel.
7. Select the pencil icon to add column-level access control permissions.
8. Complete the permissions as described in the following table.

When you are completing forms, if you see a question mark next to a parameter, don't forget to select it to get more information.

ParameterDescription
Policy default accessibility
  • None (default): The user cannot see the column or query it.
  • View: The user can see the column.
  • Masked: The user can see the column with hashed values and can query it.
TagThe tag name.
Accessibility TypeAccessibility permission of none, view or masked per column tag. 
New column accessibilityWhen you add a new column to the policy, the column inherits the policy default accessibility.
9. Select Save.

Apply Users to Policy

1.  Select APPLIED TO tab.
2. Select the pencil icon to add users to the policy.
3. Use the left and right toggle keys to add and remove users to the policy.
4. Select Save.

Common Scenarios of Configuring Column-level Permissions

There are three common scenarios of how a TD administrator might want to configure the column-level access control in a policy:

  1. No Access to columns tagged with specific tags. For example, No Access to columns tagged with PII and columns tagged with Sensitive.
  2. Only Allow Access to columns tagged with specific tags. For example, only allow access to columns tagged with Finance.
  3. No Access and Only Allow Access. For example, allow access to columns tagged with Finance, masked columns tagged with Sensitive, No Access to columns tagged with PII.

Scenario A - No Access to Columns with Specific Tags

In the following example, we'll start with a Policy default accessibility of None, change the default to View, and change a specific column to None for no access.

1. Open TD Console.
2. Navigate to Control Panel > Policies.
3. Select a policy.
4. Select Permissions.
5. Scroll to the bottom of the Permissions panel and select the pencil icon in COLUMN LEVEL ACCESS CONTROL.
6. Select the policy default visibility and change it from None to View.

7. Select Reset All Tags To Default to set all tags accessibility to be the same as the default accessibility. All of the tags now display View.

8. Update the accessibility type of the PII tag from View to None.


9. Select Save.

Scenario B - Access to Specific Tagged Columns

In the following example, we'll start with a Policy default accessibility of None and then change a specific column to View for access.

1. Open TD Console.
2. Navigate to Control Panel > Policies.
3. Select a policy.
4. Select Permissions.
5. Scroll to the bottom of the Permissions panel and select the pencil icon in COLUMN LEVEL ACCESS CONTROL.
6. Keep the Policy default accessibility of None.
7. Change the accessibility type of the Finance tag from None to View.
8. Select Save.

Scenario C - Access and Restricted Access to Specific Tagged Columns

In the following example, we'll start with a Policy default accessibility of None and then change specific columns to View and Masked for access.

1. Open TD Console.
2. Navigate to Control Panel > Policies.
3. Select a policy.
4. Select Permissions.
5. Scroll to the bottom of the Permissions panel and select the pencil icon in COLUMN LEVEL ACCESS CONTROL.
6. Keep the Policy default accessibility of None.
7. Keep the PII tag as is because, by default, it is None.
8. Change the accessibility type of the Finance tag from None to View.
9. Change the accessibility type of the Security tag from None to Masked.

10. Select Save.

Additive Model and Accessibility Permissions

If you assign a user to multiple policies, that user’s accessibility permissions are the sum of their policy assignments. Consider the following example:

  • Policy A grants permissions with the Finance tag's accessibility of View.
  • Policy B grants permissions with the Finance tag's accessibility of None.

The sum of the permission Finance tag’s accessibility = View and None is Finance tag = View. When two different accessibility permissions are configured for the same tags in different policies, the most permissive permission will be the accessibility permission granted to the user. The following information lists all possible combinations and their accessibility permission for each use case:

  • None + Masked = Masked

  • View + Masked = View

  • None + View = View

Verify a User's Accessibility Permissions

1. Open TD Console.
2. Navigate to Control Panel > Users.
3. Select a user.
4. Select Policies.
  • No labels