Skip to main content
Sift Data Access Governance (DAG) lets you define fine-grained access control policies based on attributes assigned to users and resources. Setting up DAG requires three sequential steps: creating user attributes, creating resource attributes, and creating a policy that connects them.

Before you begin

How DAG setup works

DAG controls access to Sift resources by evaluating attributes on users, user groups, and resources against policies you define. You can protect Assets, Channels, and Runs with DAG. Setup follows a deliberate sequence: label users (or user groups) and resources with attributes, then define a policy that connects them. No access changes occur until a policy is active. You can label users individually or label a user group. Group attributes work well when an attribute applies to the whole team, membership turns over frequently, or your identity provider only exposes attributes at the group level. Polices can reference a user’s individual attributes and the group attributes for groups that a user is a member of. Assigning attributes to groups instead of individuals avoids having to maintain sets of attributes across individual users. For example, suppose your organization runs a sensitive satellite program called Artemis, and only engineers with the correct clearance should access its telemetry data in Sift. Here’s how DAG handles it:
  1. Create a user attribute clearance (type: Enum Set) and assign [Artemis, Apollo] to the cleared engineers. This labels the user. No access changes yet.
  2. Create a resource attribute program_classification (type: Enum) and assign Artemis to the relevant Assets and Channels. This labels the resource. No access changes yet.
  3. Create a policy that grants access only when a user’s clearance contains the resource’s program_classification. Access changes immediately once the policy is active.
Now only engineers whose clearance includes Artemis can access the Artemis resources. Others see nothing, even if their RBAC role would otherwise allow it.

Step 1: Create and assign a user attribute

Create a user attribute

  1. Click your profile icon.
  2. Select Manage.
  3. In Access control, click User attributes.
  4. Click Create User Attribute.
  5. In the Type list, select a data type.
  6. In the Name box, enter a name for the attribute. Use a name tied to real concepts in your organization so that someone reading a policy can immediately understand what the attribute means.
  7. Optional: In the Description box, enter a description to clarify how the attribute is intended to be used in policies.
  8. Click Save.

Assign a user attribute

Assigning this attribute does not change access. It only labels the user so that a policy can later reference this attribute.
  1. In Access Control, click User Attributes.
  2. In the User attributes table, locate the attribute to use.
  3. Click Options, and then select Assign.
  4. In Assign User Attributes, in Groups or Users, select a group or user, and click Update.
    • You can select any user or group, but do not select yourself. You can change this selection later.
    • Once the policy is active, this user or group’s RBAC permissions will be further controlled for this specific Asset.
  5. Set the attribute value for the selected user or group.
  6. Click Next to review your changes.
  7. Review the assignment summary, then click Update to confirm.
No access: At this point, no access has changed. The user still has the same RBAC role and permissions as before. Access will only change after you create a policy that references this attribute.

Step 2: Create and assign a resource attribute

Create a resource attribute

  1. In Access Control, click Resource Attributes.
  2. Click Create Resource Attribute.
  3. Configure the attribute settings and click Save.

Assign a resource attribute

Assigning this attribute does not change access. It only labels the resource so that a policy can later reference this attribute.
  1. In Access Control, click Resource Attributes.
  2. In Resource Attributes, find the resource attribute to use.
  3. Click Options, then select Assign.
  4. Select the resource type you want to manage: Assets, Channels, or Runs.
  5. In the search field, enter the name of the resource to manage.
  6. In the search results, select your resource.
  7. Click Update.
  8. Select a value for the attribute.
  9. Click Next.
  10. Review your changes, and then click Update.

Step 3: Create a policy

  1. In Access Control, click Policies.
  2. Click Create Policy.
  3. Configure the policy settings and click Create.
Implementation: Creating the policy immediately grants or denies access.

Next steps

  • Getting started with Data Access Governance (DAG): A hands-on tutorial that walks through using DAG to protect a specific Asset by creating user and resource attributes and an explicit deny policy. By the end, you will have restricted a user’s access to a sensitive Asset without changing their RBAC role.

Reference