# Policy Based Access Control

## Introduction

Policy based access control (PBAC) is a well known security approach that grants or limits access to resources within a system, based on policies. At Select Star, we are introducing this new approach to provide our users with fine grain access control over what their users can see, manage and administer.

This layer will be built upon our existing use of [Roles & Permission](/user-management/user-roles.md), you should be familiar with that section in order to fully understand how Policy based access works.

**Roles** will determine what actions can a user take on a given object. Currently, Select Star has three main roles for a user i.e Admin, Data Manager, and Viewer.

{% hint style="info" %}
**Example**: A user with the *Viewer* role can read descriptions, but only users with *Data Manager* and *Admin* roles can edit descriptions.
{% endhint %}

**Policies** will determine what Roles apply to a given data object and user or team.

{% hint style="info" %}
**Example**: A policy named *Marketing View Policy* with a *Admin* Role, is assigned to the database *PROD\_MARKETING* and to the *Marketing* team. Users that belong to the Marketing team will be able to view, edit and manage, all items in *PROD\_MARKETING.*
{% endhint %}

In summary, using roles and policies to control access to your metadata in Select Star will help you determine **who can access each data object** within select star: Databases, schemas, models, dashboards, etc; and **what level of permission will they have when accessing** those objects: Viewer, Data Manager, Admin.

You can read a complete list of all the data objects that can be selected in policies at the end of this document in the [#data-objects](#data-objects "mention") section.

## Video Tutorials

#### Tutorial 1

Watch this video to see a breakdown of how Policy Based Access Control works

{% embed url="<https://www.loom.com/share/cbc2e2d3cb0c4dc4a03c696679d812af?hideEmbedTopBar=true>" %}

#### Tutorial 2

Watch this video to see examples of using Policy Based Access Control in Select Star

{% embed url="<https://www.loom.com/share/463ff6ea1d0a4e078857b618ea5ee789?hideEmbedTopBar=true>" %}

## Getting Started

PBAC needs to be enabled by Select Star staff for you organization, contact us at <support@getselectstar.com> to start using this feature.

Once enabled, you can go to **Settings > Access Control** to create and edit access control rules.

Default policies will be enabled for the users based on the roles already applied to these users. There will be no change in what your users see unless you create policies to be applied to particular asset types. New users added to your organization will be assigned to the default policies based on their organization-wide role.

<figure><img src="/files/0g48hrqwTfNixJsDG67D" alt=""><figcaption></figcaption></figure>

## Create a Policy

To create a policy, you must have admin permissions for Select Star.

Click on the Add button, in your admin panel as shown in the image above (2), and enter the information as follows

**Policy Name**: Choose a name for your policy

**Applies to**: Choose who is affected by the policy (user, team or everyone)

**Permission Role**: Chose the permission role that will apply for the given team and data assets. You can only select one permission role per policy, to learn what actions roles allow, read more in Roles & Permissions.

**Access to**: Choose the data assets that will be affected by this policy. Assets you can select include databases, schemas, dashboards, and Tableau folders.

<figure><img src="/files/WSVaP3mStwMX6E2epI34" alt=""><figcaption></figcaption></figure>

## Update a Policy

To update a policy, you must have admin permissions for your organization.

Go to **Settings > Access Control** and click **Edit** on the policy you want to edit.

Changes will be applied immediately in our system, however you can expect some delay for changes to take effect on the client side. To ensure the change happens as quick as possible, make sure you log out, clear your browser's cache, and log in again.

## Priorities and overlapping

Policies can sometimes overlap giving users different permissions on one same object. When this happens, the user will be granted the most permissive policy available.

{% hint style="info" %}
Example: John Doe is part of the *Marketing* team, and has *Viewer* Access on the PROD\_MARKETING database. Within that database, there is a schema called COLD\_LEADS.

John Doe also has a policy *Lead Manager Policy,* that allows him to make edits to the schema COLD\_LEADS.

Both policies, *Marketing View Policy* and Lead Manager Policy, apply to John Doe, and to COLD\_LEADS, but the most permissive will have precedence so the user will be able to edit and delete objects in COLD\_LEADS.
{% endhint %}

:bulb: **Note** policy based access control in Select Star is focused on granting permissions – not restricting them.

## Other views and context menus

Access control acts at different levels. In its most basic form, PBAC determines how you view a specific asset within its corresponding page. However, Select Star shows information about different assets all across the platform.

All views in Select Star will abide by the same rules, and will only show information that is available to the logged in user according to the policies you define.

**Search** will only surface results for which the user has View, Manage or Admin access. The same applies to the **Database View**, and the **Data source dropdown**.

## Default Policies

By default, you will have three different policies, one for each Role. You can edit these policies as you wish, adding or removing users, teams, and data assets.

These policies cannot be deleted.

## Migrating to Policy Based Access Control

If you are already a customer, PBAC will need to be turned on for your account. We have you covered! Reach out to us at <support@getselectstar.com> to activate this feature in your account.

If you already had Roles & Permissions defined for your users and teams, we will automatically map these to Policy Based Access Control Default policies.

## Data objects

Policies will affect one or more data objects. The data objects we support are:

* **Data sources**: any data source that's connected to Select Star in your organization.
* **Data Warehouse**: Databases and Schemas.
* **BI Tools**: Folders and Dashboards.

:bulb:**Note** - There is an wildcard option available called ***everything*** that will allow you to apply a policy to all the objects within your organization.

## Tags

Coming soon. If you are interested in limiting access based on attributes, reach out to <support@getselectstar.com> so we can add take you into account as we roll this out.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.selectstar.com/user-management/policy-based-access-control.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.