Access control
Table Level Security
Security on a table is defined by the ACL section of the table definition. The ACL section defines the role and the grants for the role. The role is the permission that is granted to the grants. The grants can be users, groups or service accounts.
Below is an example of the ACL section of a table definition.
- BigQuery
- Spark
BigQuery Example
table:
...
acl:
- role: role/bigQueryViewer
grants:
- user:user@starlake.ai
- group:goup@starlake.ai
- serviceAccount:service@gserviceaccount.google.com
table:
...
acl:
- role: SELECT
grants:
- user@starlake.ai
- group
Row Level Security
You may also want to restrict access to specific rows in a table. This is done by defining a row level security policy. The policy is defined by a SQL expression that is evaluated for each row in the table. If the expression evaluates to true, the row is returned. If the expression evaluates to false, the row is not returned.
Below is an example of a row level security policy.
table:
...
acl:
- role: SELECT
grants:
- user@starlake.ai
- group
rls:
- name: "USA only"
predicate: "country = 'USA'"
grants:
- "group:mygroup"
Column Level Security
You may also want to restrict access to specific columns in a table.
This is done by defining a column level security policy.
This feature is supported on BigQuery only and makes use of access policies to restrict access to specific columns in a table.
Below is an example of a column level security policy.
table:
...
acl:
- role: SELECT
grants:
- user@starlake.ai
- group
rls:
- name: "USA only"
predicate: "country = 'USA'"
grants:
- "group:mygroup"
attributes:
- name: "code0"
accessPolicy: PII
type: "string"
...