Governed tags
This feature is in Public Preview.
This page provides an overview of governed tags, called tag policies in Beta, in Databricks. To create and manage governed tags, see Create and manage governed tags. To apply tags, see Apply tags to Unity Catalog securable objects.
Tag data is stored as plain text and may be replicated globally. Do not use tag names, values, or descriptors that could compromise the security of your resources. For example, do not use tag names, values or descriptors that contain personal or sensitive information.
What are governed tags?
Governed tags are account-level tags with built-in rules for consistency and control. When you create a governed tag, you also define a tag policy. That policy enforces how the tag can be used. Governed tags can be applied to objects such as tables and catalogs, but not to compute resources like clusters or jobs, which use a separate tagging mechanism. Governed tags ensure that tags are consistently applied and conform to organizational standards. They help prevent inconsistent naming, unauthorized tag assignments, or incorrect tag values.
Governed tags allow administrators to:
- Mark specific tag keys as governed.
- Define the set of allowed values for each governed tag.
- Control which users and groups can assign governed tags and manage their definitions.
When a tag is governed, it can still be applied to any applicable object. However, the policy ensures that only users with the appropriate permissions can assign values to that tag, and only from a predefined set of allowed values. This governance helps maintain consistency, security, and compliance across metadata tagging in your account.
Why use governed tags?
Governed tags support a wide range of governance and operational use cases, including:
- Data classification: Enforce the use of standardized tags for sensitive data, regulatory compliance, or business domains.
- Attribute-based access control (ABAC): Use governed tags as attributes in access policies to enforce fine-grained, dynamic permissions based on data classification. See Unity Catalog attribute-based access control (ABAC).
- Cost management: Require cost center or project tags on resources to enable accurate chargeback and reporting.
- Resource discovery: Improve searchability and organization by ensuring consistent tagging across catalogs, schemas, tables, and other assets.
- Operational automation: Enable automated workflows and monitoring based on tag values.
- Certification and deprecation classification (Private Preview): Use system tags to flag trusted or outdated data, supporting data lifecycle management and improving clarity for data consumers. See Flag certified and deprecated data.
How governed tags work
-
Tag policies: Each governed tag has an associated tag policy that enforces its rules.
-
Enforcement: Governed tags are enforced at the account level and apply across all workspaces in the account.
-
Permissions: Permissions determine who can create governed tags, edit their allowed values, and assign them. Users can still create and assign tags that are not governed. For more information, see Manage permissions on governed tags.
-
Visibility: Governed tags are marked in the Databricks UI with a lock
, making it easy for users to identify which tags are subject to policy controls.
System governed tags
System governed tags are predefined by Databricks and cannot be edited or deleted. Like user-governed tags, each system tag has a tag policy that enforces its rules.
- Only users or groups with the appropriate ASSIGN permission can apply or remove system tags.
- Only predefined values can be used for each system tag key.
- Enforcement is consistent across all workspaces in the account.
System governed tags differ from user-governed tags in the following ways:
-
Tag keys and allowed values are defined and maintained by Databricks.
-
Users cannot modify the definitions or create new system governed tags.
-
System tags are marked in the UI with a wrench
to distinguish them from user-governed tags.
System governed tags support standardized tagging for use cases like classification, ownership, and lifecycle tracking, without requiring admins to define or manage custom governance. For more details, see System tags.