Implementing Access Controls for Non-Compatible Datasets in Data Assets

Original Slack Thread

Hello! I am wondering how to implement the following. I would like to give users access equivalent to the Reader role to everything but datasets marked with a certain domain. For instance, I create a domain called Sensitive and annotate relevant datasets with it. Then the Reader role should be able to see all dataset with the exception of the datasets marked with Sensitive.
As far as I understand, I have to implement a policy which explicitly gives access to everything else but those datasets. That is I can’t create a policy to exclude certain domain but rather have to create a policy to include everything except it. Is this understanding correct?
Thank you!

yes thats how I understand and would do it as well.

<@U02AF5P6QDS> Thank you for quick reply!
I was hoping for another solution as this would mean writing down quite a lot of data assets and keeping them updated with the newly ingested …

would be happy if somebody knows a better solution as we are trying to achieve something similar :slightly_smiling_face:

<@U01GZEETMEZ> Would love your help here!

If you’re using Acryl, you can build a metadata automation to add a “Non-sensitive” tag to all other assets, and then build your policy based on that tag

Don’t think we have a good solve for this in pure DataHub though

<@U01GZEETMEZ> this means there is a tag-based policy option in Acryl available?

I believe so, but let me double check

Actually seems like we don’t support it. However, ultimately policies are driven by search-style queries against our elasticsearch indicies, so given that we definitely support domain-based policies, doing term/tag-driven policies shouldn’t be too hard - likely would be a fairly small PR

okay thanks for looking it up for us.
Tag-based policies would be a great feature as we need something like that and currently we are building a controller which checks and creates/updates policies based on tags etc

Hello! I am now thinking to implement a transformer which adds a certain domain during the ingestion, for instance ‘Non-sensitive’. And then extend the Reader role, or create a similar one, to provide access only to this domain for all users. Everything outside this domain will be considered in the Sensitive domain.

Hi <@U03D58YUFDX> - wondering if you ended up solutioning something for this? We’re trying to achieve something similar and are trying to find a scalable solution. :slightly_smiling_face:

Hi <@U059NLXBL8G>, no we have not implemented it yet. Eventually, next year. Will be curious to hear about your experience/solution about this problem :slight_smile: