Protect data by tag (purpose)
Create a purpose to scope access by asset tag: useful for protecting PII, confidential financial data, or any sensitivity-tagged asset. You pick one or more tags, and Atlan treats every asset carrying any of those tags as part of the purpose. Attach metadata and data policies to control who can see, query, or modify those assets: including any future assets that get the tag.
Prerequisites
Before you create a purpose, make sure:
- You are an admin in Atlan, or you have the Governance Admin sub-role.
- The tags you want to associate with the purpose already exist. A purpose needs at least one tag: if yours doesn't exist yet, create it first.
- You know which users or groups the purpose's policies will govern, and what permissions you want to grant or deny.
Create purpose
-
In your Atlan workspace, click Settings from the left menu.
If you are using the Old UI (Classic), from the left menu, click Admin.
-
Click Purpose to open the purposes list.
-
Click the Get started button (if this is your first purpose) or the New Purpose button in the top right (if you already have purposes).
-
Enter a meaningful name for the purpose, and optionally a description.
-
In the lower-left corner of the dialog, click Select tag. Select one or more tags from the list: every asset carrying any of these tags becomes part of the purpose's scope. Click anywhere outside the list to close it.
-
Click Create to save. You now have a purpose linked to the selected tags. It doesn't restrict access yet: you'll add policies in the next section. Users can already use the purpose to browse all tagged assets as a virtual collection.
Add policies
A purpose without policies acts only as a virtual collection driven by tags. To actually grant or restrict access, attach one or more policies. Repeat the steps for each set of users and permissions you want to control.
-
Inside the purpose, switch to the Policies tab.
-
Click New Policy and choose the type that fits what you want to control:
- Metadata policy: grants or restricts permissions to change metadata on the tagged assets.
- Data policy: grants or restricts permissions to query and preview data on the tagged assets.
Add metadata policy
-
Choose Metadata policy.
-
Under Name, briefly describe the policy's intention: for example, Block edits on PII columns.
-
(Optional) Under Users and Groups, choose the users to whom the policy applies. By default, the policy applies to all users.
- Click the x in the Users and Groups box, then click the Add link.
- Search for and select the users and groups, then click anywhere in the Metadata policy sidebar to close the picker.
-
(Optional) Under Configure permissions, click Edit to choose which permissions the policy grants. By default, all permissions are granted. Hover over each checkbox to see what it controls.
-
(Optional) Under Deny selected permissions, choose whether the policy should explicitly deny these permissions instead of granting them.
Deny overrides every grantIf enabled, this deny overrides grants from any other policy for the same users: across every purpose AND persona they belong to.
-
Click Save.
Add data policy
-
Choose Data policy.
-
Under Name, briefly describe the policy's intention: for example, Deny query on Confidential: Finance.
-
(Optional) Under Users and Groups, choose the users to whom the policy applies. By default, the policy applies to all users. (Same Add / Search flow as the metadata policy.)
-
(Optional) Under Querying Permissions, choose whether the policy should explicitly deny the ability to query and preview data on the tagged assets.
Deny cascades to the whole tableA deny on data policies blocks query and preview at the table level. If even one column in a table carries the tag, querying or previewing the entire table is denied for users covered by this policy.
-
(Optional) Under Masking (Optional), select a masking type to apply instead of a full deny: Atlan replaces the value of tagged columns with a masked output when the user queries or previews. Hover over each masking type to see a description and example.
-
Click Save.
Add rich documentation (optional)
Document the purpose so other admins know why it exists and who owns it. Inside the purpose:
- Under Summary → Channels, add any Slack channels relevant to the purpose.
- Under Resources, add links to external resources: PDFs, repositories, Notion, Confluence, Google Drive, anything with a URL.
- Under Readme, write a richly-formatted description.
Set preferences (optional)
Tailor the UI for users when they're browsing through the purpose: visible asset types, sidebar tabs, asset filters, and custom metadata.
-
Switch to the Preferences tab.
-
Adjust each category in the left menu:
- Asset types: uncheck asset types to hide them.
- Asset sidebar: uncheck sidebar tabs to hide them.
- Asset filters: uncheck filters to remove them from the discovery filters menu.
- Custom metadata: uncheck custom metadata structures to hide them.
Need help?
If a purpose's policies aren't taking effect, check whether the assets actually carry the right tags and whether any other purpose or persona has a deny rule that wins over the grants. Contact Atlan Support if the issue persists.
Next steps
Now that the purpose exists, define its scope and reuse its policies:
- Choose what to protect: Add or remove the tags that decide which assets the purpose covers.
- Copy a policy to another purpose: Reuse an existing policy without rebuilding it.