🏷️ Unity Catalog ABAC

ABAC with Governed Tags

How Attribute-Based Access Control uses governed tags to enforce dynamic, scalable data access policies without per-object permissions.

📖 ABAC Documentation 🏷️ Governed Tags Docs
↓ Scroll to see how it works
1

Governed Tags: The Foundation

Governed Tags are account-level tags with enforced rules for consistency. They classify data assets with attributes like:

sensitivity=high, region=EMEA, domain=finance

Tags alone don't enforce access — they just classify data.

2

Tags Applied to Tables

Admins apply governed tags to catalogs, schemas, or tables. Tags inherit downward.

Example: A customer_data table is tagged with sensitivity=high and region=EMEA.

3

ABAC Policies Reference Tags

ABAC Policies are the enforcement layer. They define rules like:

"If table has sensitivity=high, only compliance-team can SELECT"

Policies use UDFs for row filters and column masks.

4

Dynamic Enforcement

When Alice queries the table, UC evaluates:

1. What tags does this table have?
2. What policies match those tags?
3. Is Alice allowed based on policy rules?

5

Instant Updates

Change a tag → access changes instantly.

No need to update permissions on individual objects. Just:

• Reassign a tag, or
• Update the policy definition

This scales to thousands of tables with minimal admin effort.

🏷️
Governed Tags
Account-level definitions
sensitivity=high region=EMEA domain=finance
📊
customer_data
Tagged table
📋
ABAC Policy
Enforcement rules
IF sensitivity=high
THEN require compliance-team
👤
Alice
compliance-team
Access Granted
Policy matched

Governed Tags vs. ABAC

🏷️ Governed Tags

Role: Classification & consistency

  • Define allowed tag keys/values
  • Control who can assign tags
  • Ensure naming standards
  • Don't enforce access

📋 UC ABAC

Role: Dynamic enforcement

  • Reference tags in policies
  • Row filters & column masks
  • Enforce access based on tags
  • Makes tags actionable

⚡ Benefits

Why ABAC + Tags?

  • Scalable: One policy → 1000s of tables
  • Dynamic: Change tag → instant update
  • Centralized: Manage policies once
  • Auditable: Full logging

🔄 In Practice

How they work together:

  • Tag tables with classifications
  • Write policies referencing tags
  • UC enforces automatically
  • Re-tag to change access instantly
📖 ABAC Documentation 🏷️ Governed Tags Docs
← Back to AI Governance 📄 View Full Docs on GitHub