Attribute-based access control in Unity Catalog
Attribute-based access control (ABAC) is an access control model in Unity Catalog where access is determined by evaluating attributes associated with securables. These attributes, represented through governed tags, are used in policy conditions to identify which data a policy should protect.
Policies are attached at a level in the Unity Catalog hierarchy, such as a catalog, schema, or table, and are evaluated dynamically. When a securable has the attributes targeted by a policy, that policy takes effect automatically, so a single policy can enforce consistent access rules across an entire catalog or schema.
ABAC also supports row and column-level security through row filter policies and column mask policies. Supported securable types are tables, materialized views, and streaming tables.
The following topics help you get started with ABAC in Unity Catalog.
Topic | Description |
|---|---|
Covers governed tags, policies, UDFs, policy scope, tag inheritance, and how policies are evaluated and enforced at query time. | |
How to create, edit, view, and delete ABAC policies using Catalog Explorer, SQL, and REST APIs. | |
Policy evaluation and enforcement internals and audit logging for tag and policy operations. | |
Reusable patterns for row filtering and column masking, including VARIANT-based UDFs for multi-type masking and struct column redaction. | |
Recommendations for policy scope, tag taxonomy design, and policy management. | |
Performance characteristics of ABAC policies, including UDF complexity, predicate pushdown, and query optimization. | |
When to use ABAC vs table-level row filters and column masks | How to choose between ABAC policies and table-level row filters and column masks, including differences in scope, ownership, and override behavior. |
Compute requirements, policy quotas, and current ABAC limitations including view support and conflict resolution. |