Column-Level Access Control
This section illustrates how Column-Level Access Control is enforced in ByteHouse and configured by users. Column-Level Access Control allows users to configure permissions on columns, allowing access only to the appropriate users. This is especially useful for limiting access to sensitive columns such as Personally Identifiable Information (PII).
Configuring Column-Level Access Control
To provide column-level permissions, the user needs first to be provided with the associated table-level permissions as follows:
Column Actions | Table Actions Needed |
---|---|
SELECT | SELECT |
INSERT | INSERT |
ALTER | ALTER |
DROP | ALTER |
Granting permissions on specific columns
You can specify columns that should be accessible to specific roles. In this case, " demo_role " is granted permission to SELECT
demo_col_one
.
Once permission is granted permission to " demo_role ", " demo_role " would be able to select from demo_col_one
only.
SELECT demo_col_one FROM demo_db.demo_table -- okay!
SELECT demo_col_one, demo_col_two FROM demo_db.demo_table -- access denied!
To grant users additional permissions on more columns, select click on the check box on the grid:

For example, by adding SELECT
permission on demo_col_two
, " demo_role " will now be able to perform select from demo_col_two
as well:
SELECT demo_col_one FROM demo_db.demo_table -- okay!
SELECT demo_col_one, demo_col_two FROM demo_db.demo_table -- okay!
Granting permissions on future columns
For specific users that can be granted permissions to all and future columns, simply click and enable the corresponding permission pill.

This should be applied to roles that can access all columns, including sensitive columns that could be added in the future. For SELECT
permissions, " demo_role " will now be able to use SELECT *
to view data of all columns.
SELECT demo_col_one from demo_db.demo_table -- okay!
SELECT demo_col_one, demo_col_two from demo_db.demo_table -- okay!
SELECT * from demo_db.demo_table -- okay!
Updated about 1 month ago