Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.siftstack.com/llms.txt

Use this file to discover all available pages before exploring further.

Sift Data Access Governance (DAG) lets you define fine-grained access control policies based on attributes assigned to users and resources. Setting up DAG requires three sequential steps: creating user attributes, creating resource attributes, and creating a policy that connects them.

Before you begin

How DAG setup works

DAG controls access to Sift resources by evaluating attributes assigned to users and resources against policies you define. The resources that can be protected with DAG are Assets, Channels, and Runs. Setting up DAG follows a deliberate sequence. You start by labeling users and resources with attributes, and then define a policy that connects them. No access changes occur until a policy is created and active. For example, say your organization has a sensitive satellite program called Artemis. You want to ensure that only engineers with the correct clearance can access its telemetry data in Sift. Here is how DAG handles this:
  1. You create a user attribute called clearance (Enum Set) and assign it the value ["Artemis", "Apollo"] to the engineers cleared for those programs. This only labels the user. No access changes yet.
  2. You create a resource attribute called program_classification (Enum) and assign it the value Artemis to the Artemis Assets and Channels in Sift. This only labels the resource. No access changes yet.
  3. You create a policy that allows access only when the user’s clearance contains the resource’s program_classification. Access changes immediately once the policy is active.
Once the policy is active, only engineers whose clearance includes Artemis can access the Artemis resources. Engineers without the correct clearance see nothing, even if their RBAC role would otherwise allow it.

Step 1: Create and assign a user attribute

Create a user attribute

  1. Click your profile icon.
  2. Select Manage.
  3. In Access control, click User attributes.
  4. Click Create User Attribute.
  5. In the Type list, select a data type for the attribute. For a description of each type, see Authorization models settings.
  6. In the Name box, enter a name for the attribute. Use a name tied to real concepts in your organization so that someone reading a policy can immediately understand what the attribute means.
  7. Optional: In the Description box, enter a description to clarify how the attribute is intended to be used in policies.
  8. Click Save.

Assign a user attribute

Assigning this attribute does not change access. It only labels the user so that a policy can later reference this attribute.
  1. In Access Control, click User Attributes.
  2. In the User attributes table, locate the attribute to use.
  3. Click Options, and then select Assign.
  4. In Assign User Attributes, in User Groups or Users, select a group or user, and click Update.
    • You can select any user or group, but do not select yourself. You can change this selection later.
    • Once the policy is active, this user or group’s RBAC permissions will be further controlled for this specific Asset.
  5. Set the attribute value for the selected user or group.
  6. Click Next to review your changes.
  7. Review the assignment summary, then click Update to confirm.
No access: At this point, no access has changed. The user still has the same RBAC role and permissions as before. Access will only change after you create a policy that references this attribute.

Step 2: Create and assign a resource attribute

Create a resource attribute

  1. In Access Control, click Resource Attributes.
  2. Click Create Resource Attribute.
  3. Configure the attribute settings and click Save.

Assign a resource attribute

Assigning this attribute does not change access. It only labels the resource so that a policy can later reference this attribute.
  1. In Access Control, click Resource Attributes.
  2. In Resource Attributes, find the resource attribute to use.
  3. Click Options, then select Assign.
  4. Select the resource type you want to manage: Assets, Channels, or Runs.
  5. In the search field, enter the name of the resource to manage.
  6. In the search results, select your resource.
  7. Click Update.
  8. Select a value for the attribute.
  9. Click Next.
  10. Review your changes, and then click Update.

Step 3: Create a policy

  1. In Access Control, click Policies.
  2. Click Create Policy.
  3. Configure the policy settings and click Create.
Implementation: Creating the policy immediately grants or denies access.

Next steps

  • Getting started with Data Access Governance (DAG): A hands-on tutorial that walks through using DAG to protect a specific Asset by creating user and resource attributes and an explicit deny policy. By the end, you will have restricted a user’s access to a sensitive Asset without changing their RBAC role.

Reference