Core concepts

Before setting up and using Data Access, it is helpful to understand the building blocks. The following concepts form the foundation of how Data Access connects to your external systems and governs who gets access to what.

Data sources and data objects

A data source is an instance of your external system within Data Access, for example, a BigQuery project, a Snowflakeaccount, or an identity store such as Microsoft Entra ID. An external system is also called the underlying data source.

A data object is any individual element within a data source, such as a database, schema, table, view, column, folder, or file. Every data object belongs to a single data source. Data objects are organized in a hierarchy under their data source. For example, in Snowflake, the hierarchy looks as follows:

Data source: The top-level connection, for example, Snowflake.
Database: The specific database within the data source.
Schema: The logical grouping of tables within the database.
Table (or view): The specific set of rows and columns within the schema.
Column: The most granular level of data, for example, the Credit Card Number cell.

Identities and groups

An identity is a unified profile in Data Access that consolidates a user's accounts across multiple data sources into a single entity. This allows you to govern the person rather than managing fragmented permissions per system.

A group is a collection of identities that are managed in your identity stores. Groups are imported from your data sources, and they cannot be edited or deleted in Data Access.

In a future release, you will be able to manage groups through Data Access.

Access controls

An access control is an abstract representation of "who gets access to what". An access control has two main components:

What: The data objects in scope and the permissions that apply to them.
Who: The identities or groups that receive the access. These are referred to as beneficiaries.

Data Access has three types of access controls:

Role: Grants the beneficiaries permissions, such as Read or Write, to interact with specific data objects. Roles in Data Access are not the same as global or resource roles.
Column mask: Masks data in specific columns for everyone except the beneficiaries, who see unmasked data in the columns.
Row filter: Hides all the rows in a specific table or view from everyone except the beneficiaries, who see only the rows that match specific filter criteria.

Diagram of access control types

You can also link access controls together in an inheritance structure to provide more powerful, layered access management. Inheritance allows you to reuse permissions or beneficiaries across multiple access controls. For example, you can create a high-level functional role that inherits access from several lower-level roles, or you can link a column mask to a role so that the beneficiaries of that role see unmasked data.

Inheritance model

Sync

Synchronization (sync) connects Data Access to the underlying data source. It runs in two directions:

Inbound sync pulls data objects, accounts, groups, and access controls from your data source into Data Access.
Outbound sync pushes access controls that you create or update in Data Access to your data source.

You activate sync by adding your data source to Data Access.

Ownership and access requests

Ownership establishes who has authority and control over data sources, data objects, and access controls. Ownership also grants specific administrative privileges, such as the ability to view an access control's sensitive Who component, or to manage sync schedule for a data source.

When you add a data object or access control that you do not own to your access control, an access request is automatically sent to the owner for approval.