# Understanding Access Control for Column Tags Review the following matrix to understand what a user can do based on the database policy-based permissions. Following the matrix are some examples to further help your understanding. Tagging authorization matrix showing permissions for different user types ## How to Interpret the Tagging Authorization Matrix The access control of data tagging is based on a user's database permission. There are two types of users in Treasure Data: Restricted User and TD Administrator. If a CDP account has Database Policy-based Permissions (DB PBP) enabled, the authorization matrix is slightly different than the account that has DB PBP disabled (using the legacy database access control). If a CDP account has Database Permission-based Policy (DB PBP) enabled, the authorization matrix is slightly different than the account that has DB PBP disabled (using the legacy database access control). See [About Policy-based Permissions](/products/control-panel/security/policies/about-policy-based-permissions) to learn more about DB PBP and the legacy database access control. ### Example: The account has DB PBP disabled If the account has DB PBP disabled the account is using the legacy database access control model. #### **Administrator** : * Only the TD administrator can **create or delete** Policy/Resource types of tags. * If the Administrator has **edit permission** of the database, the Administrator can perform the following actions: * List all tags that are attached to columns in the database. * Attach or detach Resource tags to the columns in the database. * Attach or detach Policy tags to the columns in the database. In the legacy database access control model, the administrator automatically has edit permission for all databases. #### Restricted User: * If the restricted user has **edit permission** of the database, the restricted user can perform the following actions: * List all tags that are attached to columns in the database. * Attach or detach Resource tags to the columns in the database. * Attach or detach Policy tags to the columns in the database. * If the restricted user has only **query permission** of the database, the restricted user can only list (view) all tags that are attached to columns in the database. ### Example: The account has DB PBP enabled #### Administrator: * Only the TD administrator can **create or delete** Policy/Resource types of tags. * If the Administrator has **edit permission** of the database, the Administrator can perform the following actions: * List all tags that are attached to columns in the database. * Attach or detach Resource tags to the columns in the database. * Attach or detach Policy tags to the columns in the database. * If the Administrator has only **query permission** of the database, the administrator can only list (view) all tags that are attached to columns in the database. #### Restricted User: * If the restricted user has **edit permission** of the database, the restricted user can perform the following actions: * List all tags that are attached to columns in the database. * Attach or detach Resource tags to the columns in the database. The restricted user cannot attach or detach policy tags with edit permission of the database. This is because attaching or detaching policy tags will impact access control set up by a tag-based policy. In DB PBP, only the TD administrator has permission to configure database access control. * * If the restricted user has only **query permission** of the database, the restricted user can only list (view) all tags that are attached to columns in the database.