This section illustrates how Column-Level Access Control is enforced in ByteHouse and configured by users. Column-Level Access Control allows users to configure permissions on columns, allowing access only to the appropriate users. This is especially useful for limiting access to sensitive columns such as Personally Identifiable Information (PII).
To provide column-level permissions, the user needs first to be provided with the associated table-level permissions as follows:
|Column Actions||Table Actions Needed|
You can specify columns that should be accessible to specific roles. In this case, " demo_role " is granted permission to
Once permission is granted permission to " demo_role ", " demo_role " would be able to select from
SELECT demo_col_one FROM demo_db.demo_table -- okay! SELECT demo_col_one, demo_col_two FROM demo_db.demo_table -- access denied!
To grant users additional permissions on more columns, select click on the check box on the grid:
For example, by adding
SELECT permission on
demo_col_two , " demo_role " will now be able to perform select from
demo_col_two as well:
SELECT demo_col_one FROM demo_db.demo_table -- okay! SELECT demo_col_one, demo_col_two FROM demo_db.demo_table -- okay!
For specific users that can be granted permissions to all and future columns, simply click and enable the corresponding permission pill.
This should be applied to roles that can access all columns, including sensitive columns that could be added in the future. For
SELECT permissions, " demo_role " will now be able to use
SELECT * to view data of all columns.
SELECT demo_col_one from demo_db.demo_table -- okay! SELECT demo_col_one, demo_col_two from demo_db.demo_table -- okay! SELECT * from demo_db.demo_table -- okay!
Updated about 1 year ago