Block data access
Block users from querying or previewing data in Atlan at four levels of scope: across the whole workspace, for a single connection, for specific assets, or for every asset carrying a sensitivity tag. Pick the method whose scope matches what you want to block, and note that an explicit deny always wins over every grant.
Prerequisites
Before you begin, make sure:
- You are an admin in Atlan. All four methods require admin access.
- You have connection admin access on the relevant source, needed for connection-level and asset-level blocking.
Block data access
Pick the scope that matches what you want to block. An explicit deny always wins over every grant, including the default access of a connection admin.
Block all querying across the workspace by turning off data exploration:
- In your Atlan workspace, go to Settings → Labs. If you are using the Old UI (Classic), go to Admin → Labs instead.
- Toggle off Data Exploration. Users can still preview sample data.
Block a narrower scope:
- By connection: when setting up or editing the connection's crawler, set Allow SQL Query to No (and Allow Data Preview to No for sample data). This blocks querying and preview for that entire source.
- Some connectors need a minimum data-access level to crawl metadata, so check the connector's setup guide before removing access.
- By asset: create a persona with a data policy that explicitly denies access, then add the affected users. Use an explicit deny so it also blocks connection admins; an implicit deny (no policy) does not.
- By tag: create a purpose on the tag with a data policy that denies query access. If any column on an asset carries the tag, the whole asset is blocked, and the same rule covers previews.
Need help?
If a block isn't taking effect, the usual cause is an implicit deny instead of an explicit one: only an explicit deny stops connection admins from querying or previewing. For tag-based blocks, also confirm the asset carries the tag you targeted. Contact Atlan Support if the issue persists.
See also
- Create a persona: Build a persona with a data policy to block specific assets.
- Create a purpose: Block by tag across every asset that carries it.
- How access policies combine: Why an explicit deny wins over every grant, including connection admins.