Review the following matrix to understand what a user can do based on the database policy-based permissions. Following the matrix are some examples to further help your understanding.
The access control of data tagging is based on a user’s database permission. There are two types of users in Treasure Data: Restricted User and TD Administrator.
If a CDP account has Database Policy-based Permissions (DB PBP) enabled, the authorization matrix is slightly different than the account that has DB PBP disabled (using the legacy database access control).
If a CDP account has Database Permission-based Policy (DB PBP) enabled, the authorization matrix is slightly different than the account that has DB PBP disabled (using the legacy database access control).
See About Policy-based Permissions to learn more about DB PBP and the legacy database access control.
If the account has DB PBP disabled the account is using the legacy database access control model.
Only the TD administrator can create or delete Policy/Resource types of tags.
If the Administrator has edit permission of the database, the Administrator can perform the following actions:
List all tags that are attached to columns in the database.
Attach or detach Resource tags to the columns in the database.
Attach or detach Policy tags to the columns in the database.
In the legacy database access control model, the administrator automatically has edit permission for all databases.
If the restricted user has edit permission of the database, the restricted user can perform the following actions:
List all tags that are attached to columns in the database.
Attach or detach Resource tags to the columns in the database.
Attach or detach Policy tags to the columns in the database.
If the restricted user has only query permission of the database, the restricted user can only list (view) all tags that are attached to columns in the database.
Only the TD administrator can create or delete Policy/Resource types of tags.
If the Administrator has edit permission of the database, the Administrator can perform the following actions:
List all tags that are attached to columns in the database.
Attach or detach Resource tags to the columns in the database.
Attach or detach Policy tags to the columns in the database.
If the Administrator has only query permission of the database, the administrator can only list (view) all tags that are attached to columns in the database.
If the restricted user has edit permission of the database, the restricted user can perform the following actions:
List all tags that are attached to columns in the database.
Attach or detach Resource tags to the columns in the database.
The restricted user cannot attach or detach policy tags with edit permission of the database. This is because attaching or detaching policy tags will impact access control set up by a tag-based policy. In DB PBP, only the TD administrator has permission to configure database access control.
- If the restricted user has only query permission of the database, the restricted user can only list (view) all tags that are attached to columns in the database.