Identities

In Data Access, an identity is a unified profile that consolidates a user's accounts from different data sources. Typically, an identity represents a single physical person or a service account. You can use identities as beneficiaries in access controls to define who gets access to data. This allows you to grant identities access across multiple data sources simultaneously. Identities help you govern the person, instead of managing fragmented permissions across systems.

Tip An account represents a user in your underlying data source, for example, a user in Snowflake, a service account in BigQuery, or a user in Okta. This user can be a human or a machine (service account) and is different from a user in Collibra.

Account-to-identity mapping

Data Access maps multiple accounts belonging to the same user to an identity based on email address.

When a new account is pulled into Data Access, it is automatically mapped to an existing identity if the email address of the account matches that of the identity. If no match is found, a new identity is created. Although email matching is the default behavior, you can also manually move an account to a different or new identity.

For example, if you have accounts in Databricks, Snowflake, and Collibra with the same email address, the three accounts are mapped to the same identity. However, if you use a different email address for each account, the three accounts are mapped to three different identities.

Collibra users

Identities in Data Access also include Collibra users. This ensures that if a Collibra user has any data source accounts, they are linked to the appropriate Data Access identity through email matching. If a Collibra user requests access to a Snowflake table in Data Access, the access is granted to the related Snowflake account that the user has.

Collibra users are a subset of identities and can only be human users.

Identity tags

The tags on an identity come from the tags on all of its linked accounts. For example, if an identity's BigQuery account has the tag Department:Engineering and their Snowflake account has the tag Location:Belgium, the identity gets both of those tags. These aggregated identity tags provide rich user attributes, such as the user's department and geographic location. You can use these tags to define dynamic rules in access controls. For example, instead of manually granting access to a list of individual people, you can define a dynamic rule that automatically grants access to any identity that has the tags Department:Engineering and Location:Belgium.

View an identity

To view an identity, on the Data Access landing page, in the left pane, click RESOURCES > Identities, and then click the identity.

The Summary tab

The Summary tab on an identity page contains the following information.

Section Description
Ownership Data sources, data objects, and access controls that this identity owns.
Associated accounts Accounts that are linked to this identity across different data sources.
Groups Groups that this identity is a member of.

The Access tab

The Access tab on an identity page contains the following information.

Section Description
Data objects Data objects that this identity can access. You can view the access graph by clicking Diagram icon.
Roles Roles that allow this identity to access data.
Access on request Access controls that allow this identity to temporarily access data upon request.
Column masks Column masks that allow this identity to see unmasked data.
Row filters Row filters that allow this identity to see filtered rows.

Related topics

Groups