About Data Access
Collibra Data Access gives you a single place for managing who can access what data across all your external systems. With Data Access, you can define access controls, such as who can access data objects (roles), how sensitive columns appear to them (column masks), and which rows they can see (row filters). These access controls are automatically enforced in your underlying data sources, so you do not need to manage isolated access controls separately in each of the data sources.
Benefits
Data Access simplifies how you manage data access controls across your organization. Its key benefits include the following.
| Benefit | Description |
|---|---|
| Unified access management | Data Access manages access for individual users regardless of the accounts or platforms that they use to query data. It unifies a user's accounts from different data sources into a single identity, so you can govern the user, instead of managing fragmented access controls across multiple data sources. |
| Flexible access provisioning |
Data Access allows you to grant time-bound access and automate access through dynamic rules (Attribute-Based Access Controls). |
| Synchronization with your data landscape |
Data Access pulls existing entities from your data sources. This gives you immediate visibility into who can access what, helping you spot and remove unused access. It also pushes access control changes to your data sources to keep both environments synchronized. |
| Separation of governance from infrastructure |
Data Access separates permission management from the technical complexities of the systems where your data resides. The access controls that you define in Data Access are automatically translated into the native access controls that your data sources understand. This accelerates data delivery for data consumers, while maintaining consistent data protection, regardless of the underlying database technology. |
How Data Access works
The core conceptual model of Data Access is built around an abstract representation of access management. It contains several interconnected entities that map your external systems into a unified framework.
Data sources act as the top-level entities, representing an instance of a data warehouse, such as BigQuery or Databricks, or an identity store, such as Microsoft Entra ID or Okta. Once a data source is added to Data Access, its metadata is ingested to form data objects in Data Access. These objects represent the underlying data elements, such as databases, schemas, tables, columns, or folders, all of which are organized in a hierarchy. In the model, the self-referential "parent" link represents the hierarchical nesting of data objects. For example, a data object can have another data object as its parent.
To manage people and services, the model distinguishes between accounts and identities. An account represents a user within a specific data source, such as a Snowflake user or a GCP service account. Because users often have multiple accounts in different data sources, these accounts are mapped to a single identity in Data Access based on email address. An identity serves as a centralized, cross-platform view of a single person or service.
Access controls in Data Access are what unify the model and define who gets access to what. They function regardless of how your underlying data source implements access, whether that is through an Access Control List (ACL) in BigQuery or Role-Based Access Control (RBAC) in Snowflake. An access control has a What component, which contains specific data objects, and a Who component, which contains identities that receive access, who are called beneficiaries.
Access controls take different functional forms, including roles, column masks, or row filters. They can also be linked to other access controls to create powerful inheritance structures, so you can build higher-level data products from lower-level technical roles. In the model, the self-referential "who" link represents the inheritance of access controls, wherein one access control can reference another access control, creating a chain.
The Data Access model also incorporates tags, which are metadata key-value pairs that are imported directly from your data sources and attached to data objects, accounts, and groups. These tags enable Attribute-Based Access Control (ABAC), so you can dynamically define the What and Who components of an access control by using Boolean expressions, instead of manual static assignments.
Data sources
Data Access supports the following data sources:
- Data warehouses: BigQuery, Databricks, Snowflake
- Identity stores: Microsoft Entra ID, Okta
Data Access also includes the Collibra system as a data source. The Collibra data source is used to synchronize Collibrausers and groups.
To set up a data source for Data Access:
- Configure the permissions in the data source.
- Create a connection from an Edge or Collibra Cloud site to the data source.
- Add the data source to Data Access.
- Optionally, link the data source to an existing System asset in Data Catalog.
Open Data Access
Data Access is available only in the latest user interface of Collibra Platform. You can open Data Access if you have a global role with the Product Rights > Data Access global permission. To open Data Access, on the main toolbar, click
>
Data Access. This opens the Data Access landing page.
Data Access versus Protect
Important To prevent policy drift and inconsistent security, do not manage the same data sources with Data Access and Protect at the same time. When you are ready to adopt the advanced governance capabilities of Data Access, plan a complete migration of your Protect-managed data sources.
Both Data Access and Protect help you govern sensitive data, but they differ significantly in scope and approach.
Data Access operates at the identity level to directly grant and revoke access to data. You manage access for users across all your data sources simultaneously. Protect, by contrast, operates at the data level. Rather than managing the underlying access itself, Protect applies only column masking and row filtering policies on top of a user's existing access. You classify columns, assign them to data categories, and apply protections that follow the logical data model in Collibra.
| Aspect | Data Access | Protect |
|---|---|---|
| Concept |
Defines who gets access and what they can access by assigning access controls to identities or groups, either explicitly or dynamically. |
Defines who gets access and what they can access by associating Protect groups with logical assets that map to the underlying physical data. |
| Purpose |
Provides centralized access provisioning and secure, self-service data democratization. Data Access focuses on connecting the right users to the right data faster, centralizing access controls, and maintaining a clear audit trail. |
Enforces privacy and compliance. Protect focuses on securing sensitive information to minimize risk and ensure compliance. |
| Approach (what) |
Bridges the logical and physical data layers. You build policies directly against physical data objects, such as databases, tables, and columns, or use imported native system tags to dynamically grant access based on tags, for example |
Uses a logical and contextual approach. You build policies against logical business assets in your Collibra Data Catalog, such as data classifications, data categories, and business processes, which Protect then maps to the underlying physical columns. |
| Approach (who) |
Governs the unified identity. Data Access creates a unified profile that links a user to all their source accounts. |
Governs the group. Protect uses Protect groups that map directly to native technical roles or principals in the underlying data sources. |
| Typical use case |
A data owner managing time-bound access requests for a Customer Data Product, while a data steward ensures that PII within that product remains dynamically masked unless the user belongs to a specific approved department. |
A data steward creating a policy that masks anything that is classified as PII across platforms, with a specific rule to unmask it only for the HR group. |
| Sync |
Both inbound and outbound. Data Access pulls existing entities from your data sources and pushes Collibra-managed access controls to your data sources. |
Outbound only. Protect pushes Collibra-defined standards and rules to your data sources. |