How tag-based access control works
Do some prep in Atlas to make tags available for creating Ranger policies.
Follow these steps to set up tag-based access control in your environment:
- Determine what data to control, who it’s controlled for, and how you
want to control it.
If you know the data characteristics but there isn’t a reliable column name for the data or if you want to reveal parts of the data to some users, assign a classification to the column and set a tag-based policy in Ranger to apply masks to the data.
- Same resource across multiple services. Set tag-based policies in Ranger. Note that resource-based policies apply to a single service.
- Entire databases. Set resource-based policies in Ranger.
- Tables. Set resource-based policies in Ranger.
- Columns. Tagging columns in Atlas and then creating tag-based policies in Ranger allows you to control access to this data even as it is transformed into other tables.
- Create classifications in Atlas that describe triggers for when data should be controlled.
- Assign the classifications to the Atlas data assets.
- Create “tag based policies” in Ranger.
- Use Hue or Zeppelin to validate that the policies work as expected.