How tag-based access control works

Do some prep in Atlas to make tags available for creating Ranger policies.

Follow these steps to set up tag-based access control in your environment:

  1. Determine what data to control, who it’s controlled for, and how you want to control it.

    If you know the data characteristics but there isn’t a reliable column name for the data or if you want to reveal parts of the data to some users, assign a classification to the column and set a tag-based policy in Ranger to apply masks to the data.

    • Same resource across multiple services. Set tag-based policies in Ranger. Note that resource-based policies apply to a single service.
    • Entire databases. Set resource-based policies in Ranger.
    • Tables. Set resource-based policies in Ranger.
    • Columns. Tagging columns in Atlas and then creating tag-based policies in Ranger allows you to control access to this data even as it is transformed into other tables.
  2. Create classifications in Atlas that describe triggers for when data should be controlled.
  3. Assign the classifications to the Atlas data assets.
  4. Create “tag based policies” in Ranger.
  5. Use Hue or Zeppelin to validate that the policies work as expected.