Skip to main content

Security

This FAQ answers common questions about Lakehouse security controls, authentication and authorization, and encryption.

Access control and encryption

Is access to Lakehouse secure? How does Lakehouse handle data?

Yes. Lakehouse protects metadata through layered security controls:

  • The catalog is the only entry point that query engines use to access Lakehouse metadata.
  • Iceberg data files and metadata files are stored in Atlan-managed object storage and encrypted at rest.
  • Access to object storage is logged and tracked.
  • You control end-user access in your query engine by using the engine’s native access controls (for example, Snowflake RBAC).

How does authentication work between query engine and catalog?

The query engine authenticates to the catalog by using an engine-to-catalog credential. The catalog validates the credential on every metadata request and enforces namespace and table permissions.

This is service-to-service authentication. End users don't sign in to the catalog.

How are credentials authorized to access specific assets in Lakehouse? Where’s authorization managed and enforced?

The OAuth client that the query engine uses is mapped to a read-only catalog role scoped to only the Iceberg namespaces and tables explicitly permitted for that Lakehouse.

Authorization is managed in Polaris, the catalog component of Atlan. Polaris enforces namespace- and table-level permissions on every catalog request. If the credential isn't authorized to access a table, Polaris doesn't return metadata for it.

In addition, query engine administrators can apply the engine's native access controls to the linked Lakehouse catalog or tables to further restrict which users and roles can query Lakehouse data.

When a query runs:

  1. The query engine authenticates to the catalog using its catalog integration credential.
  2. The catalog authorizes the request and returns only permitted Iceberg metadata, including file locations and temporary object storage credentials scoped to those files.
  3. The query engine uses the temporary credentials to read the required files from object storage and process the query.

How does catalog control access to data files?

At query time, the catalog provides authorized query engines with the locations of the data files required to run the query and temporary credentials to access those object storage locations.

Do existing Atlan account security policies apply?

Yes. The catalog inherits your existing account security policies. If you have configured IP allowlists for your Atlan account, those same restrictions apply to catalog access.

Setup permissions

Why is Snowflake administrator access required during setup?

Snowflake requires elevated privileges to create a catalog integration, register the external catalog, and create external Iceberg tables. This access is required during setup to bootstrap the integration and apply least-privilege roles for ongoing use.

After setup, day-to-day querying runs under restricted Snowflake roles. Lakehouse doesn't require ongoing Snowflake admin credentials.