Data policy

||Connect docs via MCP

Configure data access in personas and purposes: control who can query and preview the data in assets, and apply column-level masking to hide sensitive values in Atlan. Data policies govern the actual querying and retrieval of data, separate from metadata policies, which govern an asset's metadata.

Use data policies to control:

• Querying and previewing: who can run queries against an asset and preview its sample data
• Column-level masking: how sensitive values are displayed to users who can see the asset but should not see the raw data
• Deny rules: explicit restrictions that override grants from other policies

Data policies don't govern metadata access (use metadata policies), Connection Admin privileges (which grant automatic access to all assets within a connection), or bootstrap permissions (the role-based baseline that applies outside of personas).

Access

Data policies aren't enabled by default. To use them, you must be an admin, or hold the Governance Admin sub-role, with permissions to define personas and governance settings.

You can access this in Governance → Access Control → Personas (or Purposes), then open a persona or purpose, go to the Policies tab, and click New Policy → Data Policy. Once saved, the policy applies to all users and groups linked to that persona or purpose.

Name

Specifies a unique name to identify the data policy in Atlan. This name must briefly describe the purpose or scope of the policy.

Example:

Marketing-data-policy

Select connection

Choose the Atlan connection on which this policy is applied. All assets within the selected connection are included by default unless you narrow them down with an asset selector.

Example:

Snowflake / analytics-prod

Asset scope

Defines which assets the data policy applies to. By default, the scope includes all assets in the selected connection, but you can narrow this to specific databases, schemas, or individual assets.

All assets

Applies the policy to every asset in the selected connection. Use this when the policy must apply broadly without restricting to specific assets.

Example:

All assets in Snowflake / analytics-prod

Add via browse

Manually select the assets you want to include, using search or by browsing the connection hierarchy. Use this when the policy should apply to specific databases, schemas, tables, or columns rather than the whole connection.

Configure permissions

Define what users in the persona or purpose can do with the data in the scoped assets.

Querying

Controls whether users can run queries against the asset and preview its sample data.

• Query: run queries against the asset's data in Insights.
• Preview: view sample data on the asset profile.

Column-level masking

For users who can see the asset but should not see raw values, choose how a column's data is displayed:

• Show first 4: replaces all data except the first four characters. For example, 1234 5678 9012 3456 becomes 1234XXXX.
• Show last 4: replaces all data except the last four characters. For example, 1234 5678 9012 3456 becomes XXXX3456.
• Hash: replaces the value with a consistent hash. Because the hash is consistent, you can still join on it across assets. For example, 1234 5678 9012 3456 becomes f43jknscakc12nk21ak.
• Nullify: replaces the value with null. For example, 1234 5678 9012 3456 becomes null.
• Redact: replaces alphabetic characters with x and numeric characters with 0. For example, 1234 Street Name becomes 0000 Xxxxxx Xxxx.

Deny selected permissions

Explicitly restricts querying or previewing, even when granted through another policy. Deny rules take precedence and override grants from other data or metadata policies, including grants from the Admin role and Connection Admin status. An explicit deny is a hard ceiling that no role or approval can override.

See also

• Metadata policy: Govern access to an asset's metadata.
• Create a purpose: Apply data policies, including masking, by asset tag.
• Revoke data access: Remove a user's ability to query an asset.