Data Access Management
Data Access Management controls which users, roles, and service accounts can access which data resources — at the table level and at the column level. Policies are enforced at query time across all data tools on the platform.
There are two entry points to manage access:
- Admin → Data Access Management — manage access for any principal across all resources
- Catalog → Table detail view — manage table-level access directly from a specific table
Services Behind This Feature
| Service | Role |
|---|---|
| BFF API | Proxies all policy management requests from the Cogrion UI to Ranger. |
| Ranger | The policy engine. Stores and evaluates fine-grained access control policies at query time. |
| Trino | Enforces Ranger policies when a query executes. |
| Datahub | Source of column-level tag metadata, populated by the metadata ingestion job. |
| Keycloak | Source of truth for user, role, and service account identity. |
Policy Types
Table Access
Table access policies control which principals can access specific resources. A resource is a combination of catalog, schema, and table — wildcards (*) are supported at each level.
| Privilege | What it allows |
|---|---|
| Viewer | Read-only SELECT access |
| Editor | Read and write access |
| Maintainer | Full access including schema operations |
Grant and revoke operations go through the BFF to Ranger. Changes take effect immediately for new queries.
Column Restriction
Column restriction policies control whether a principal can see columns carrying a specific tag. The effect is either Restrict (deny access to tagged columns) or Allow (explicitly permit access — useful for overriding a broader restriction).
Policies are tag-based, not column-name-based. A single policy covers all columns across all tables and schemas that share the same tag.
How Tags Get into Ranger
- A metadata ingestion job (a platform stack component) runs against the data sources and assigns Datahub tags to columns based on data classification rules (e.g.
PII,CONFIDENTIAL). - The tags are synced from Datahub into Ranger's own tag store.
- When an admin opens the column restriction form, the BFF queries Ranger's tag store to return the available tags for selection.
- At query time, Ranger evaluates the tag-based restriction policy against the columns in the query and restricts or permits access accordingly.
Data Masking
Data masking policies apply a transformation to column values at query time for a specific principal. Like column restriction, masking policies are tag-based — the policy targets a Datahub tag, not a specific column name.
| Effect | What it does |
|---|---|
| Mask | Apply a masking function to all columns carrying the tag (e.g. hash, nullify, partial mask) |
| Unmask | Explicitly show unmasked values for the principal, overriding a broader mask policy |
When granting a mask policy, the admin selects a mask kind — the specific transformation to apply. Available mask kinds are fetched from Ranger at grant time.
Principal Types
Policies can target:
- Users — individual Keycloak users, identified by username
- Roles — Keycloak realm roles (e.g.
data_analyst), automatically synced into Ranger askc_realm_data_analyst - Service accounts — machine or service principals
Go Deeper
- Data Access and Authorization — overview of the auth model and token exchange
- SQL Auth: Superset, Trino & Ranger — how policies are enforced at query time
- Keycloak → Ranger Role Sync — how role assignments flow from Keycloak into Ranger