Tag Based Access Control Using the REST API

Copy

• Copy for LLM

  Copy page as Markdown for LLMs
• View as Markdown

  Open this page as Markdown
• Open in ChatGPT

  Get insights from ChatGPT
• Open in Claude

  Get insights from Claude
• Connect to Cursor

  Install MCP server on Cursor
• Connect to VS Code

  Install MCP server on VS Code

Using the Permission Policy API, you can create column-level access control using specific policy tags to restrict or permit the accessibility of a column in a Treasure Data database.

When you create policy-based column-level access control permissions, you define access control for specific tags and then assign the policy to specific users. The policy-based Column-level Access Control feature must be enabled to create these permissions.

Setting Policy Default Accessibility

In TD Console UI, a user can define three types of column accessibilities with tags: None, View, and Masked. You can achieve similar results using the REST API.

Setting policy default accessibility to None

Similar to setting controls in UI, you can effectively set the policy default accessibility to None using the REST API by omitting tags using: {"tags":[]}. This is demonstrated in the following example, where the tags for policy 420836 are explicitly not set, resulting in no accessibility.

curl -s -H "Content-Type: application/json" \
-d '{"column_permissions":[{"tags":[]}]}' \
-H "Authorization: TD1 ..." \
-X PATCH https://api.treasuredata.com/v3/access_control/policies/420836/column_permissions

Setting policy default accessibility to View

Similar to setting controls in the UI, you can set the default accessibility to View. In the following example, all tags for policy 420836 are set to View. To set everything to View , the tags are omitted and the except statement is set to "except":true , resulting in everything accessible to the user.

curl -s -H "Content-Type: application/json" \
-d '{"column_permissions":[{"tags":[],"except":true}]}' \
-H "Authorization: TD1 ..." \
-X PATCH https://api.treasuredata.com/v3/access_control/policies/420836/column_permissions

Similar to setting controls in the UI, you can set View permission to everything except for PII tags. This means that any new tags will have View accessibility even if they are not mentioned in the policy.

curl -s -H "Content-Type: application/json" \
-d '{"column_permissions":[{"tags":["PII"],"except":true}]}' \
-H "Authorization: TD1 ..." \
-X PATCH https://api.treasuredata.com/v3/access_control/policies/420836/column_permissions

Designate Accessibility Setting for a Tag

You can set the visibility of PII to Masked or View.

Set visibility of PII to Masked

curl -s -H "Content-Type: application/json" \
-d '{"column_permissions":[{"tags":["PII"],"masking":"hash"}]}' \
-H "Authorization: TD1 ..." \
-X PATCH https://api.treasuredata.com/v3/access_control/policies/420836/column_permissions

Set visibility of PII to View

curl -s -H "Content-Type: application/json" \
-d '{"column_permissions":[{"tags":["PII"]}]}' \
-H "Authorization: TD1 ..." \
-X PATCH https://api.treasuredata.com/v3/access_control/policies/420836/column_permissions