Policy Based Column Level Access Control Permissions
Copy for LLM
Copy page as Markdown for LLMs
View as Markdown
Open this page as Markdown
Open in ChatGPT
Get insights from ChatGPT
Open in Claude
Get insights from Claude
Connect to Cursor
Install MCP server on Cursor
Connect to VS Code
Install MCP server on VS Code

When you create policy-based column-level access control permissions, you define access control for specific columns and then assign the policy to specific users. The policy-based Column-level Access Control feature must be enabled to create these permissions.

Understanding Tag-based Permission for Columns

Before configuring the policy, it's important to understand the different types of column accessibility and their definitions. There are three types of column accessibilities a user can define with tags:
- None - The user cannot see the column nor query the column
- View - The user can see the column
- Masked - The user sees the column with hashed values, and they can query it
- Accessibility is assigned to a tag in the policy. This means that all columns that are annotated with the tag inherit the accessibility assigned to the tag. For example, if the PII tag is assigned with accessibility None, all columns tagged with the PII tag will have "None" as the accessibility for the user who is assigned with the policy.
- A policy always has the initial setting of “None” for the default column accessibility. A user can change the default accessibility to View. Default accessibility setting determines the accessibility of:
  - The initial state of all columns
  - New columns & untagged columns
- Default policy tags such as Email (Raw) can't be deleted or edited by design

This topic includes:

Enabling Policy-based Column-level Access Control
Principles for Configuring Column-level Permissions
Create a Policy-based Permission
Apply Users to Policy
How a Policy affects the data
Common Scenarios of Configuring Column-level Permissions

Enabling Policy-based Column-level Access Control

You must have the policy-based Column-level Access Control feature. Contact your Customer Success representative about enabling this feature. After enabling the feature, Treasure Data automatically creates a new permissions policy "Columns full" and applies it to all existing users. This ensures that all existing users have access to all columns as in the initial state. The administrator can then remove users from the "Columns full" policy and assign other column-level access control permissions with new policies.

Principles for Configuring Column-level Permissions

When creating a column-level access control policy, the administrators need to think about the following:

What is the desired goal? Is this policy's main objective to allow or prevent access to column data?
What is the policy default accessibility? Does it make more sense to start with no access (None) or view access (View) for all tags?
Which columns does the policy provide or prevent access?

For example, if the desired goal is to block access to columns with specific tags, it’s recommended to do the following:

Start by updating the default accessibility to View.
Reset the accessibility for all tags to View by selecting Reset all tags to default.
All accessibility settings for existing policy tags are set to View. This setting implies that the user assigned to this policy has viewing access to all columns, including those tagged columns.

With the previous configuration, the administrator can then set specific tags with accessibility to None.

Review Common Scenarios of Configuring Column-level Permissions before creating your first column-level permissions policy.

Create a Policy-based Permission

Open TD Console.
Navigate to Control Panel > Policies.
Select Add Policy.
Enter a descriptive name for your policy and optionally include a description.
Select Add Policy.
Select Permissions and scroll to the bottom of the panel.
Select the pencil icon to add column-level access control permissions.

Complete the permissions as described in the following table.

When you are completing forms, if you see a question mark next to a parameter, don't forget to select it to get more information.

Parameter	Description
Policy default accessibility	None (default): The user cannot see the column or query it. View : The user can see the column. Masked : The user can see the column with hashed values and can query it.
Tag	The tag name.
Accessibility Type	Accessibility permission of none, view or masked per column tag.
New column accessibility	When you add a new column to the policy, the column inherits the policy default accessibility.

Select Save.

Apply Users to Policy

Select APPLIED TO tab.
Select Apply policy to add users to the policy.

Use the left and right toggle keys to add and remove users to the policy.
Select Save.

How a Policy affects the data

Once a policy is set, data is displayed in a different way depending on its settings.

Table Preview

An overview of the data can be seen on the table page and in the table preview of the query editor. If a policy is set, each setting behaves as follows, depending on the user's permissions.

Policy	Data Type	Result
None	All	Blank
View	All	Raw Data is shown
Masked	String	Hashed Data is shown
Others	Null

Table preview is a mechanism that uses the cache at the time of data ingestion, so the data type depends on the type at the time of import, not on the table definition. For example, if you imported 1 as string, Table Preview shows the hashed value. After you change the data type of col1 to numeric data type, the query result will be null but Table Preview might show hashed data.

Query Result

When querying a table, the behaviour is as follows, depending on the respective permissions.

Policy	Data Type	Result
None	All	The query fails as bellow `Access Denied: Cannot select from columns [column_name] in table or view table_name`
View	All	The query returns the data
Masked	String	The query gets the hashed data
Numerical	The query gets null

Common Scenarios of Configuring Column-level Permissions

There are three common scenarios of how a TD administrator might want to configure the column-level access control in a policy:

No Access to columns tagged with specific tags. For example, No Access to columns tagged with PII and columns tagged with Sensitive.
Only Allow Access to columns tagged with specific tags. For example, only allow access to columns tagged with Finance.
No Access and Only Allow Access. For example, allow access to columns tagged with Finance , masked columns tagged with Sensitive , No Access to columns tagged with PII.

Scenario A - No Access to Columns with Specific Tags

In the following example, we'll start with a Policy default accessibility of None , change the default to View , and change a specific column to None for no access.

Open TD Console.
Navigate to Control Panel > Policies.
a policy.
Select Permissions.
Scroll to the bottom of the Permissions panel and select the pencil icon in COLUMN LEVEL ACCESS CONTROL.
Select the policy default visibility and change it from None to View.
SelectReset All Tags To Default to set all tags accessibility to be the same as the default accessibility. All of the tags now display View.
Update the accessibility type of the Home Address tag fromView to None.
SelectSave.

Scenario B - Access to Specific Tagged Columns

In the following example, we'll start with a Policy default accessibility of None and then change a specific column to View for access.

Open TD Console.
Navigate to Control Panel > Policies.
Select a policy.
Select Permissions.
Scroll to the bottom of the Permissions panel and select the pencil icon in COLUMN LEVEL ACCESS CONTROL.
Keep the Policy default accessibility of None.

Change the accessibility type of the Finance tag from None to View.

Select Save.

Scenario C - Access and Restricted Access to Specific Tagged Columns

In the following example, we'll start with a Policy default accessibility of None and then change specific columns to View and Masked for access.

Open TD Console.
Navigate to Control Panel > Policies.
Select a policy.
Select Permissions.
Scroll to the bottom of the Permissions panel and select the pencil icon in COLUMN LEVEL ACCESS CONTROL.
Keep the Policy default accessibility of None.
Keep the PII tag as is because, by default, it is None.
Change the accessibility type of the Finance tag from None to View.
Change the accessibility type of the Security tag from None to Masked.
Select Save.

Additive Model and Accessibility Permissions

If you assign a user to multiple policies, that user’s accessibility permissions are the sum of their policy assignments. Consider the following example:

Policy A grants permissions with the Finance tag's accessibility of View.
Policy B grants permissions with the Finance tag's accessibility of None.

The sum of the permission Finance tag’s accessibility = View and None is Finance tag = View. When two different accessibility permissions are configured for the same tags in different policies, the most permissive permission will be the accessibility permission granted to the user. The following information lists all possible combinations and their accessibility permission for each use case:

None + Masked = Masked
View + Masked = View
None + View = View

Verify a User's Accessibility Permissions

Open TD Console.
Navigate to Control Panel > Users.
Select a user.
Select Policies.