Policy Based Access Control (beta)
Policy based access control (PBAC) is a well known security approach that grants or limits access to resources within a system, based on policies. At Select Star, we are introducing this new approach to provide our users with fine grain access control over what their users can see, manage and administer.
This layer will be built upon our existing use of Roles & Permission, you should be familiar with that section in order to fully understand how Policy based access works.
Roles will determine what actions can a user take on a given object. Currently, Select Star has three main roles for a user i.e Admin, Data Manager, and Viewer.
Example: A user with the Viewer role can read descriptions, but only users with Data Manager and Admin roles can edit descriptions.
Policies will determine what Roles apply to a given data object and user or team.
Example: A policy named Marketing View Policy with a Admin Role, is assigned to the database PROD_MARKETING and to the Marketing team. Users that belong to the Marketing team will be able to view, edit and manage, all items in PROD_MARKETING.
In summary, using roles and policies to control access to your metadata in Select Star will help you determine who can access each data object within select star: Databases, schemas, models, dashboards, etc; and what level of permission will they have when accessing those objects: Viewer, Data Manager, Admin.
You can read a complete list of all the data objects that can be selected in policies at the end of this document in the Data objects section.
PBAC needs to be enabled by Select Star staff for you organization, contact us at [email protected] to start using this feature.
Once enabled, you can go to Settings > Access Control to create and edit access control rules.
Default policies will be enabled for the users based on the roles already applied to these users. There will be no change in what your users see unless you create policies to be applied to particular asset types. New users added to your organization will be assigned to the default policies based on their organization-wide role.
To create a policy, you must have admin permissions for Select Star.
Click on the Add button, in your admin panel as shown in the image above (2), and enter the information as follows
Policy Name: Choose a name for your policy
Applies to: Choose who is affected by the policy (user, team or everyone)
Permission Role: Chose the permission role that will apply for the given team and data assets. You can only select one permission role per policy, to learn what actions roles allow, read more in Roles & Permissions.
Access to: Choose the data assets that will be affected by this policy. Assets you can select include databases, schemas and dashboards.
To update a policy, you must have admin permissions for your organization.
Go to Settings > Access Control and click Edit on the policy you want to edit.
Changes will be applied immediately in our system, however you can expect some delay for changes to take effect on the client side. To ensure the change happens as quick as possible, make sure you log out, clear your browser's cache, and log in again.
Policies can sometimes overlap giving users different permissions on one same object. When this happens, the user will be granted the most permissive policy available.
Example: John Doe is part of the Marketing team, and has Viewer Access on the PROD_MARKETING database. Within that database, there is a schema called COLD_LEADS.
John Doe also has a policy Lead Manager Policy, that allows him to make edits to the schema COLD_LEADS.
Both policies, Marketing View Policy and Lead Manager Policy, apply to John Doe, and to COLD_LEADS, but the most permissive will have precedence so the user will be able to edit and delete objects in COLD_LEADS.
Note policy based access control in Select Star is focused on granting permissions – not restricting them.
Access control acts at different levels. In its most basic form, PBAC determines how you view a specific asset within its corresponding page. However, Select Star shows information about different assets all across the platform.
All views in Select Star will abide by the same rules, and will only show information that is available to the logged in user according to the policies you define.
Search will only surface results for which the user has View, Manage or Admin access. The same applies to the Database View, and the Data source dropdown.
By default, you will have three different policies, one for each Role. You can edit these policies as you wish, adding or removing users, teams, and data assets.
These policies cannot be deleted.
If you are already a customer, PBAC will need to be turned on for your account. We have you covered! Reach out to us at [email protected] to activate this feature in your account.
If you already had Roles & Permissions defined for your users and teams, we will automatically map these to Policy Based Access Control Default policies.
Policies will affect one or more data objects. The data objects we support are:
- Data sources: any data source that's connected to Select Star in your organization.
- Data Warehouse: Databases and Schemas.
- BI Tools: Folders and Dashboards.
Note - There is an wildcard option available called everything that will allow you to apply a policy to all the objects within your organization.
Coming soon. If you are interested in limiting access based on attributes, reach out to [email protected] so we can add take you into account as we roll this out.