Skip to main content

Data Access Management

Data Access Management controls which users, roles, and service accounts can access which data resources — at the table level and at the column level. Policies are enforced at query time across all data tools on the platform.

There are two entry points to manage access:

  • Admin → Data Access Management — manage access for any principal across all resources
  • Catalog → Table detail view — manage table-level access directly from a specific table

Services Behind This Feature

ServiceRole
BFF APIProxies all policy management requests from the Cogrion UI to Ranger.
RangerThe policy engine. Stores and evaluates fine-grained access control policies at query time.
TrinoEnforces Ranger policies when a query executes.
DatahubSource of column-level tag metadata, populated by the metadata ingestion job.
KeycloakSource of truth for user, role, and service account identity.

Policy Types

Table Access

Table access policies control which principals can access specific resources. A resource is a combination of catalog, schema, and table — wildcards (*) are supported at each level.

PrivilegeWhat it allows
ViewerRead-only SELECT access
EditorRead and write access
MaintainerFull access including schema operations

Grant and revoke operations go through the BFF to Ranger. Changes take effect immediately for new queries.

Column Restriction

Column restriction policies control whether a principal can see columns carrying a specific tag. The effect is either Restrict (deny access to tagged columns) or Allow (explicitly permit access — useful for overriding a broader restriction).

Policies are tag-based, not column-name-based. A single policy covers all columns across all tables and schemas that share the same tag.

How Tags Get into Ranger

  1. A metadata ingestion job (a platform stack component) runs against the data sources and assigns Datahub tags to columns based on data classification rules (e.g. PII, CONFIDENTIAL).
  2. The tags are synced from Datahub into Ranger's own tag store.
  3. When an admin opens the column restriction form, the BFF queries Ranger's tag store to return the available tags for selection.
  4. At query time, Ranger evaluates the tag-based restriction policy against the columns in the query and restricts or permits access accordingly.

Data Masking

Data masking policies apply a transformation to column values at query time for a specific principal. Like column restriction, masking policies are tag-based — the policy targets a Datahub tag, not a specific column name.

EffectWhat it does
MaskApply a masking function to all columns carrying the tag (e.g. hash, nullify, partial mask)
UnmaskExplicitly show unmasked values for the principal, overriding a broader mask policy

When granting a mask policy, the admin selects a mask kind — the specific transformation to apply. Available mask kinds are fetched from Ranger at grant time.

Principal Types

Policies can target:

  • Users — individual Keycloak users, identified by username
  • Roles — Keycloak realm roles (e.g. data_analyst), automatically synced into Ranger as kc_realm_data_analyst
  • Service accounts — machine or service principals

Go Deeper