Dynamic rules in access controls
In Data Access, you can make an access control dynamic by using dynamic rules, also called Attribute-Based Access Control (ABAC).
Instead of manually specifying static data objects and identities (entities), you can use dynamic rules to automatically target the entities that you want to include in the access control. After you create a dynamic rule, it is automatically applied to future entities. This means that if an entity is added or updated in your data source later, the access control includes it if it satisfies the dynamic rule.
When to use dynamic rules
You can use dynamic rules in an access control in the following scenarios:
- You want to mask all columns that have the tags
Classification:PIIandCategory:Employeefor everyone except the identities that have the tagDepartment:HR. - You want any identity that has the tag
Department:Marketingto be able to access any table that has the tagCategory:Marketing.
How dynamic rules work
Dynamic rules use Boolean expressions that are based on tags. Tags are imported from your data sources during synchronization, and they are read-only in Data Access.
Dynamic rules are available in the What component of roles and column masks, and in the Who component of roles, column masks, and row filters.
Dynamic rule in the What component
When you add a dynamic rule to the What component, you define which data objects your access control includes. Instead of selecting data objects individually, you specify conditions that the data objects must meet to be included in your access control.
For a role, adding a dynamic rule to the What component involves defining a scope, selecting data object types, setting permissions, and building conditions. For a column mask, it involves only defining a scope and building conditions.
- Scope: Select one or more data objects to define the boundary within which Data Access searches for matching data objects. For example, selecting a database restricts the dynamic rule to that database only, preventing Data Access from scanning your entire data source.
- Data object types: Select the types of data objects to target within the scope (for example, Table and View). Data Access evaluates only data objects of the selected types against the conditions that you specify. For column masks, the data object type is always Column.
- Permissions: Select the level of access (Read, Write, or Admin) to grant on the matching data objects. This is applicable only to roles.
- Conditions: Build one or more Boolean expressions by using tag-based conditions. Data Access evaluates these conditions against all data objects that are within the defined scope and are of the selected types, and it includes only the matching data objects.
For example, you can define the condition
Has tag Classification:PIIto target only the data objects that are classified as PII.
You can also combine multiple conditions using AND and OR logic to build more precise rules. For example, you can target all the data objects that are classified as PII and belong to a specific business unit.
Dynamic rule in the Who component
When you add a dynamic rule to the Who component, you define which identities your access control includes as beneficiaries. Instead of selecting identities individually, you specify conditions that the identities must meet to be included in your access control.
Adding a dynamic rule to the Who component involves building one or more Boolean expressions by using tag-based conditions. Data Access evaluates these conditions against all identities, and it includes only the matching identities.
For example, you can define the condition Has tag Department:Sales to target only the identities that belong to the Sales department.
You can also combine multiple conditions using AND and OR logic to build more precise rules. For example, you can target all the identities that belong to the Sales department and are located in a specific region.
Tag operators in the What component
A tag operator in the What component determines how Data Access evaluates a data object based on its position in the data hierarchy: whether the tag is applied directly to the object itself, inherited from an ancestor, or present on a descendant.
The following tag operators are available in the What component of roles and column masks.
| Tag operator | Description |
|---|---|
| Has tag |
Includes the data object only if the tag is applied directly to it. |
| Inherits tag |
Includes the data object if the tag is applied directly to it or inherited from its ancestor, for example, its parent schema or database. |
| Contains tag |
Includes the data object if the tag is applied directly to it or present on any of its descendants, for example, its columns. This operator is not available for column masks. |
Tag operator comparison
The following table summarizes how each tag operator behaves based on where the tag is applied relative to the target data object.
| Where the tag is applied | Has tag | Inherits tag | Contains tag |
|---|---|---|---|
| Directly on the target data object |
|
|
|
| On any ancestor of the target data object |
|
|
|
| On any descendant of the target data object |
 Access control ignored |
|
|
Access control appliesTag operators in the Who component
A tag operator in the Who component determines how Data Access evaluates an identity based on its organizational structure: whether the tag is applied directly to the identity or inherited from its group.
The following tag operators are available in the Who component of roles, column masks, and row filters.
| Tag operator | Description |
|---|---|
| Has tag |
Includes the identity only if the tag is applied directly to it. The tags on an identity come from the tags on all of its linked accounts. |
| Inherits tag |
Includes the identity if the tag is applied directly to it or inherited from its group. |