Skip to main content

Tag policies

Beta

This feature is in Beta.

This page provides an overview of tag policies in Databricks. To create and manage tag policies, see Create and manage tag policies. To apply tags, see Apply tags to Unity Catalog securable objects.

Tag data can be replicated globally. Do not use tag names or values that could compromise the security of your resources. For example, do not use tag names that contain personal or sensitive information.

What are tag policies?

Tag policies are account-level controls that define constraints on tags assignable to objects in Databricks, such as tables and catalogs. These policies do not apply to compute resources like clusters or jobs, which use a separate tagging mechanism. Tag policies ensure that tags are consistently applied and conform to organizational standards. They help prevent inconsistent naming, unauthorized tag assignments, or incorrect tag values. Tag policies allow administrators to:

  • Specify which tag keys are governed.
  • Define the set of allowed values for each governed tag.
  • Control which users and groups can assign governed tags to resources and manage governed tag definitions.

When a tag is governed by a tag policy, it can still be applied to any applicable object. However, the policy ensures that only users with the appropriate permissions can assign values to that tag, and only from a predefined set of allowed values. This governance helps maintain consistency, security, and compliance across metadata tagging in your account.

Why use tag policies?

Tag policies support a wide range of governance and operational use cases, including:

  • Data classification: Enforce the use of standardized tags for sensitive data, regulatory compliance, or business domains.
  • Attribute-based access control (ABAC): Use governed tags as attributes in access policies to enforce fine-grained, dynamic permissions based on data classification. See Unity Catalog attribute-based access control (ABAC).
  • Cost management: Require cost center or project tags on resources to enable accurate chargeback and reporting.
  • Resource discovery: Improve searchability and organization by ensuring consistent tagging across catalogs, schemas, tables, and other assets.
  • Operational automation: Enable automated workflows and monitoring based on tag values.
  • Certification and deprecation classification: Use system tags to flag trusted or outdated data, supporting data lifecycle management and improving clarity for data consumers. See Flag certified and deprecated data.

How tag policies work

  • Governed tags: When a tag policy is defined for a tag key, that tag becomes governed. Only users or groups with the appropriate permissions can assign governed tags, and only the allowed values specified in the policy can be used.

  • Enforcement: Tag policies are enforced at the account level and apply across all workspaces in the account.

  • Tag policy permissions: Permissions control who can create, manage, and assign governed tags. Users can continue to create and assign tags that are not governed by tag policies. Tag policies only apply to tags that are explicitly governed. For more information, see Manage tag policy permissions.

  • Visibility: Governed tags are marked in the Databricks UI with a lock Lock icon., making it easy for users to identify which tags are subject to policy controls.

    List of governed tags.

System tag policies

System tag policies govern system tags, which are predefined by Databricks and cannot be edited or deleted by users. System tag policies enforce the same constraints as user-defined tag policies:

  • Only users or groups with the appropriate ASSIGN permission can apply or remove system tags.
  • Only predefined values can be used for each system tag key.
  • System tag enforcement is consistent across all workspaces in the account.

However, system tag policies differ from user-defined tag policies in the following ways:

  • The tag keys and allowed values are defined and maintained by Databricks.

  • Users cannot modify the policy definitions or create new system tag policies.

  • System tags are marked in the UI with a wrench Wrench icon. to distinguish them from user-governed tags.

    List of system tags.

System tag policies support standardized tagging for use cases like classification, ownership, and lifecycle tracking, without requiring admins to define or manage custom tag policies. For more details, see System tags.

Last updated on