Query without shared credentials
By default, Atlan runs every query through one shared connection credential, so all users inherit the same data source access. With bring-your-own-credentials (BYOC), each user signs in with their own data source login instead (their individual username and password, or a key pair), and Atlan enforces that user's own permissions in Snowflake, Redshift, Databricks, or any supported source on every query and preview. Enable BYOC when source-side access controls, row and column security, or per-user audit trails should carry through to Atlan rather than a single shared service account.
BYOC with basic credentials (a username and password, or a key pair) is available on Amazon Athena, Amazon Redshift, Databricks, MySQL, PostgreSQL, Presto, Snowflake, and Trino. To use SSO or OAuth tokens instead, see Authenticate to query data.
This is the admin-side setup, done once per connection. For the steps each user follows afterward to enter their own login, see Provide credentials to query data.
Prerequisites
Before you begin, make sure:
- You are a connection admin for the connection you want to configure. See Manage connection admins.
Enable BYOC on connections
-
In your Atlan workspace, open the asset browser and filter by Connection to find the connection you want to configure.
If you are using the Old UI (Classic), from the left menu, click Assets, then filter by Connection.
-
Click the connection to open its profile.
-
In the right sidebar, next to Connection settings, click Edit.
-
In the Connection settings dialog, set the authentication type:
- Under Query permissions, set Authentication type to Basic credentials to require each user's own credentials for querying.
- Under Display sample data, set Source preview to Basic credentials to require each user's own credentials for sample data previews.
-
(Optional) Enable Apply data policies created at source to sync the source system's access controls into Atlan. When enabled, any existing Atlan data policies on this connection are deactivated, and new ones cannot be created.
-
Click Update to save.
Each user who connects to this source in Insights is now prompted to enter their own credentials before they can query or preview data.
Need help?
If users still query with the shared credential after you enable BYOC, confirm the connection settings saved, that Authentication type shows Basic credentials, and that users are opening the same connection you changed. If a user cannot authenticate, have them re-enter their credentials from their profile and confirm their source account is active. Contact Atlan Support if the issue persists.
See also
- Provide credentials to query data: The user-side guide for entering credentials once BYOC is enabled.
- Authenticate to query data: Use SSO or OAuth credentials instead of basic authentication.
- Manage connection admins: Manage who can administer a connection.