Restricting access for certain users of Data Catalog

When a subscriber is provided with user access either as EnvironmentAdmin or EnvironmentUser, by default, the user is synchronized with the default Atlas policies in Ranger. This implies that the same user has access to all the datasets in the Data Catalog environment.

To have a fine-grained access to the same user from accessing the assets in Data Catalog, you can perform some additional changes. For example, if you want to restrict some users from accessing specific table information, you must set-up a Ranger policy such that these users will not have access to the asset details in Data Catalog.

To create the Ranger policy to restrict users from accessing asset details, refer to the following images:

The following image displays the Deny Conditions set for the specific user.

The result is depicted in the following image, where the user has no permissions to access the specified dataset (us_customers).

Additionally, when you plan to restrict data access, please note the following:

  • Audit summarisation for the asset evolves from the Ranger audit profiler and Metrics service.

  • Various Hive Column Statistical metrics for columns of the asset evolves from Atlas as part of the profile_data of a column.

To ensure that the data related to audit summary and Hive Column Statistics are not visible to the subscribers, you must make sure to turn off the audit profiler and the Hive Column profiler respectively.