# Policy Based Column Level Access Control Permissions

When you create policy-based column-level access control permissions, you define access control for specific columns and then assign the policy to specific users. The policy-based Column-level Access Control feature must be enabled to create these permissions.

Understanding Tag-based Permission for Columns

* Before configuring the policy, it's important to understand the different types of column accessibility and their definitions. There are three types of column accessibilities a user can define with tags:
  * **None** - The user cannot see the column nor query the column
  * **View** - The user can see the column
  * **Masked** - The user sees the column with hashed values, and they can query it
  * Accessibility is assigned to a tag in the policy. This means that all columns that are annotated with the tag inherit the accessibility assigned to the tag. For example, if the *PII* tag is assigned with accessibility **None,** all columns tagged with the *PII* tag will have "None" as the accessibility for the user who is assigned with the policy.
  * A policy always has the initial setting of “None” for the default column accessibility. A user can change the default accessibility to View. Default accessibility setting determines the accessibility of:
    * The initial state of all columns
    * New columns & untagged columns
  * Default policy tags such as Email (Raw) can't be deleted or edited by design


This topic includes:

* [Enabling Policy-based Column-level Access Control](#enabling-policy-based-column-level-access-control)
* [Principles for Configuring Column-level Permissions](#principles-for-configuring-column-level-permissions)
* [Create a Policy-based Permission](#create-a-policy-based-permission)
* [Apply Users to Policy](#apply-users-to-policy)
* [How a Policy affects the data](#how-a-policy-affects-the-data)
* [Common Scenarios of Configuring Column-level Permissions](#common-scenarios-of-configuring-column-level-permissions)


# Enabling Policy-based Column-level Access Control

You must have the policy-based Column-level Access Control feature. Contact your Customer Success representative about enabling this feature. After enabling the feature, Treasure Data automatically creates a new permissions policy "`Columns full"` and applies it to all existing users. This ensures that all existing users have access to all columns as in the initial state. The administrator can then remove users from the "Columns full" policy and assign other column-level access control permissions with new policies.

# Principles for Configuring Column-level Permissions

When creating a column-level access control policy, the administrators need to think about the following:

* What is the desired goal? Is this policy's main objective to allow or prevent access to column data?
* What is the policy default accessibility? Does it make more sense to start with no access (None) or view access (View) for all tags?
* Which columns does the policy provide or prevent access?


For example, if the desired goal is to block access to columns with specific tags, it’s recommended to do the following:

1. Start by updating the default accessibility to **View.**
2. Reset the accessibility for all tags to **View** by selecting **Reset all tags to default**.
All accessibility settings for existing policy tags are set to **View.** This setting implies that the user assigned to this policy has viewing access to all columns, including those tagged columns.


With the previous configuration, the administrator can then set specific tags with accessibility to **None.**

Review [Common Scenarios of Configuring Column-level Permissions](#common-scenarios-of-configuring-column-level-permissions) before creating your first column-level permissions policy.

# Create a Policy-based Permission

1. Open TD Console.
2. Navigate to **Control Panel** > **Policies**.
3. Select **Add Policy**.
4. Enter a descriptive name for your policy and optionally include a description.
![](/assets/image2023-9-19_3-25-55.565e289be19c53966e42280a474000ec8bb55725e5d954609f9f5b61f7e82213.f0cddcd7.png)
5. Select **Add Policy**.
6. Select **Permissions** and scroll to the bottom of the panel.
7. Select the pencil icon to add column-level access control permissions.


##### ![](/assets/image2023-9-19_3-27-49.f99d59733d02602ac4c5c8f682269f9e6f795ab19288befa630e9e5fc32aa451.f0cddcd7.png)

1. Complete the permissions as described in the following table.


When you are completing forms, if you see a question mark next to a parameter, don't forget to select it to get more information.

| Parameter | Description |
|  --- | --- |
| Policy default accessibility | **None** (default): The user cannot see the column or query it.**View** : The user can see the column.**Masked** : The user can see the column with hashed values and can query it. |
| Tag | The tag name. |
| Accessibility Type | Accessibility permission of none, view or masked per column tag. |
| New column accessibility | When you add a new column to the policy, the column inherits the policy default accessibility. |


1. Select **Save**.


# Apply Users to Policy

1. Select **APPLIED TO** tab.
2. Select **Apply policy** to add users to the policy.


##### ![](/assets/image2023-9-19_3-31-54.e50aaab4c78a4b20fb33e1fdb8d3b86c5948614bd92e54d19f73ce3e31293de6.f0cddcd7.png)

1. Use the left and right toggle keys to add and remove users to the policy.
2. Select **Save**.


# How a Policy affects the data

Once a policy is set, data is displayed in a different way depending on its settings.

### Table Preview

An overview of the data can be seen on the table page and in the table preview of the query editor. If a policy is set, each setting behaves as follows, depending on the user's permissions.

| Policy | Data Type | Result |
|  --- | --- | --- |
| None | All | Blank |
| View | All | Raw Data is shown |
| Masked | String | Hashed Data is shown |
| Others | Null |  |


Table preview is a mechanism that uses the cache at the time of data ingestion, so the data type depends on the type at the time of import, not on the table definition. For example, if you imported `1` as string, Table Preview shows the hashed value. After you change the data type of col1 to numeric data type, the query result will be null but Table Preview might show hashed data.

### Query Result

When querying a table, the behaviour is as follows, depending on the respective permissions.

| Policy | Data Type | Result |
|  --- | --- | --- |
| None | All | The query fails as bellow`Access Denied: Cannot select from columns [column_name] in table or view table_name` |
| View | All | The query returns the data |
| Masked | String | The query gets the hashed data |
| Numerical | The query gets null |  |


# Common Scenarios of Configuring Column-level Permissions

There are three common scenarios of how a TD administrator might want to configure the column-level access control in a policy:

1. **No Access** to columns tagged with specific tags. For example, No Access to columns tagged with *PII* and columns tagged with *Sensitive.*
2. **Only Allow Access** to columns tagged with specific tags. For example, only allow access to columns tagged with *Finance*.
3. **No Access and Only Allow Access.** For example, allow access to columns tagged with *Finance* , masked columns tagged with *Sensitive* , No Access to columns tagged with *PII.*


### Scenario A - No Access to Columns with Specific Tags

In the following example, we'll start with a Policy default accessibility of **None** , change the default to **View** , and change a specific column to **None** for no access.

1. Open TD Console.
2. Navigate to **Control Panel** > **Policies**.
3. a policy.
4. Select **Permissions**.
5. Scroll to the bottom of the Permissions panel and select the pencil icon in **COLUMN LEVEL ACCESS CONTROL**.
6. Select the policy default visibility and change it from **None** to **View**.
![](/assets/image2023-9-22_13-28-31.766300974109a82b3fd65473fc0982d86cf9b3a97e8e9867f0e6adbb29ae42f3.f0cddcd7.png)
7. Select**Reset All Tags To Default** to set all tags accessibility to be the same as the default accessibility. All of the tags now display **View**.
![](/assets/image2023-9-19_3-36-7.0656c675bc8df3f31ba7e8f2dcee7d5dd7ca8192c071119047329f40e4537de4.f0cddcd7.png)
8. Update the accessibility type of the Home Address tag from**View** to **None**.
![](/assets/image2023-9-22_13-29-11.a2a3fcb4b68631053a0d67594349fa18b1d45f8c28512c62790bb0cead8d3ab5.f0cddcd7.png)
9. Select**Save.**


### Scenario B - Access to Specific Tagged Columns

In the following example, we'll start with a Policy default accessibility of **None** and then change a specific column to **View** for access.

1. Open TD Console.
2. Navigate to Control Panel > Policies.
3. Select a policy.
4. Select Permissions.
5. Scroll to the bottom of the Permissions panel and select the pencil icon in COLUMN LEVEL ACCESS CONTROL.
6. Keep the Policy default accessibility of None.


##### ![](/assets/image2023-9-22_13-30-28.c968ea5bcd7d40b812840196d88d12a6c5cb030273036b28cdb5497f2ff7bc19.f0cddcd7.png)

1. Change the accessibility type of the Finance tag from None to View.


##### ![](/assets/image2023-9-22_13-31-55.a98a0c1b9db1e29d449a9b8d5b0893cffd0ce4653c06663752e92d2462c0b96c.f0cddcd7.png)

1. Select Save.


### Scenario C - Access and Restricted Access to Specific Tagged Columns

In the following example, we'll start with a Policy default accessibility of **None** and then change specific columns to **View** and **Masked** for access.

1. Open TD Console.
2. Navigate to Control Panel > Policies.
3. Select a policy.
4. Select Permissions.
5. Scroll to the bottom of the Permissions panel and select the pencil icon in COLUMN LEVEL ACCESS CONTROL.
6. Keep the Policy default accessibility of None.
7. Keep the PII tag as is because, by default, it is None.
8. Change the accessibility type of the Finance tag from None to View.
9. Change the accessibility type of the Security tag from None to Masked.
![](/assets/image2023-9-22_13-51-31.071738cfe466738f2081dc736a6fadda239a439ab41b0f7503093027d9ba66d0.f0cddcd7.png)
10. Select Save.


## Additive Model and Accessibility Permissions

If you assign a user to multiple policies, that user’s accessibility permissions are the sum of their policy assignments. Consider the following example:

* Policy A grants permissions with the Finance tag's accessibility of **View**.
* Policy B grants permissions with the Finance tag's accessibility of **None**.


The sum of the permission *Finance* tag’s accessibility = **View and None** is *Finance* tag = **View.** When two different accessibility permissions are configured for the same tags in different policies, the most permissive permission will be the accessibility permission granted to the user. The following information lists all possible combinations and their accessibility permission for each use case:

* None + Masked = **Masked**
* View + Masked = **View**
* None + View = **View**


## Verify a User's Accessibility Permissions

1. Open TD Console.
2. Navigate to **Control Panel** > **Users**.
3. Select a user.
4. Select **Policies**.