Access Control in Atlan covers identity and access management (SSO, SCIM, users, groups, roles), permissions (personas, purposes, connection access, visibility), and audit logs. Configure who can sign in, what they can see, and how their activity is tracked.
Reference for all Labs Access control toggles in Atlan Settings, covering guest requests, member reporting, asset visibility, persona switcher, sample data download, Tableau embedding, and workflow admin access.
Manage the people in your Atlan workspace and what they can do: add users by email or identity provider, assign the role that sets their permissions, keep roles in sync, and offboard users when they leave.
Add or remove users and groups from a persona in Atlan to control who inherits its access policies and view.
Configure AI asset access in personas: control who can view, edit, or manage AI models, model versions, applications, and governance properties.
Sub-roles in Atlan let you delegate specific admin tasks to Members without giving them full Admin access. Governance Admin manages personas and policies; Workflow Admin manages workflows and apps.
Use the User Role Sync app to automatically assign Atlan roles based on group membership, with regex matching and role hierarchy controls.
Understand the Atlan architecture: platform components, management components, and central services across AWS, Azure, and GCP deployments.
Automatically downgrade users to the Guest role when they leave, using the offboarding app. Set up a workflow that revokes access based on group membership, with no manual edits per user.
Block users from querying or previewing data in Atlan at different levels: workspace-wide, by connection, by specific asset, or by tag.
Configure glossary access in personas: control who can create, update, and delete terms and categories, link terms to assets, and manage tags and custom metadata within a glossary.
Add or remove tags from a purpose in Atlan to change which assets fall within its scope and are covered by its policies.
Learn about compliance standards and assessments.
Set how long an Atlan session stays valid before it expires. Configure idle timeout, max timeout, and Remember Me settings for all users in the workspace.
Copy a policy from one purpose to another in Atlan to reuse access configurations without rebuilding them from scratch.
Copy a policy from one persona to another in Atlan to reuse access configurations without rebuilding them from scratch.
Customize the catalog view a team gets in Atlan: set the default landing page, which asset types, sidebar tabs, and discovery filters appear, and what custom metadata is visible, per persona.
Configure data access in personas and purposes: control who can query and preview data, and apply column-level masking such as hashing, redaction, or showing only the last four characters.
The Atlan Secure Agent is a Kubernetes-based application that runs within a customer's environment. It acts as a gateway between the single-tenant Atlan SaaS and external systems like Snowflake, Tableau, and other data sources. This document explains the Secure Agent's deployment architecture, key components, communication flows, and security considerations.
Configure domain access in personas: control who can read, update, and manage data domains, subdomains, and products, including their custom metadata.
Learn about encryption and key management.
How to get people into your Atlan workspace and give them the right baseline access. A small team can be managed by hand; a larger organization connects an identity provider for SSO and SCIM. Covers authentication, users, groups, and roles.
Configure Immuta access request links on Atlan assets and request data access or masking exceptions directly from asset profiles.
Reference for the User Role Import app in Atlan: workflow configuration fields, supported input methods (direct upload or object storage), and the required CSV format for bulk role assignment.
Learn about incident response plan.
Learn about infrastructure security.
This guide provides step-by-step instructions to install the Secure Agent on an Amazon Elastic Kubernetes Service (AWS EKS) cluster.
Configure the Immuta workflow in Atlan to enrich data assets with Immuta access request links and column masking exception requests.
Invite new users to your Atlan workspace by email when SSO is not enforced, or provision them through your identity provider when SSO is enforced.
Control who can administer a connection in Atlan by assigning or removing connection admins. Connection admins can edit, delete, and fully manage all assets under a connection.
Configure metadata access in personas: control who can view, edit, or restrict metadata, tags, terms, and governance properties.
Configure metadata policies at scale using policy templates to automate permission assignment across assets, taxonomies, and custom metadata.
Create groups in Atlan, add or remove users, and delete groups you no longer need to manage team access at scale.
Control what users can see and do in Atlan once they have signed in. Scope access by team with personas, by data sensitivity with purposes, by connection, or hide assets entirely. Learn which control to use and how role, persona, and purpose combine.
Personas in Atlan scope what a team sees and can do by bundling users and groups with access policies and a custom catalog view.
Create a purpose in Atlan to scope access by asset tag. Pick one or more tags, attach policies, and protect every asset that carries those tags now and in the future.
Use the Designation-based group provisioning app to automatically place each new user into the right Atlan groups at first login, based on their designation.
Purposes in Atlan scope access by asset tag so every asset marked as PII, confidential, or any sensitivity label gets the same policies applied automatically.
Enable bring-your-own-credentials (BYOC) on a connection in Atlan so each user queries with their own data source login, and Snowflake, Redshift, Databricks, or other source permissions are enforced on every query instead of one shared account.
Request and manage changes to assets that you don't have direct edit access to.
Prevent Atlan from auto-provisioning an account for every user who can authenticate against your identity provider. Restrict access to only the users and groups your IdP explicitly assigns to the Atlan application.
Revoke a user's query and preview access on a specific governed asset in Atlan, and optionally raise a Jira or ServiceNow ticket to revoke that user's access at the source.
The Atlan Secure Agent is a lightweight, Kubernetes-based application that enables secure metadata extraction. It connects internal systems with Atlan SaaS while keeping sensitive data protected and doesn’t require inbound connectivity. Running within an organization’s controlled environment, the Secure Agent ensures compliance with security policies and automates metadata processing.
Frequently asked questions about security controls and access protections for Lakehouse.
Learn about security monitoring.
Set up authentication for Atlan: configure SSO with Okta, Azure AD, Google, JumpCloud, OneLogin, SAML 2.0, or PingFederate; automate the user lifecycle with SCIM; and set sign-in rules for new users.
The Docker-based databricks-extractor offline tool has been sunset. For on-premises or network-restricted Databricks lineage extraction, use Self-Deployed Runtime, Secure Agent, or direct connectivity via private link.
Create a persona in Atlan to scope what a team sees and can do: define access policies, add members, and set the UI experience for a team or function.
Map identity provider groups to Atlan groups so each user's group membership updates automatically on every sign-in, without manual edits in Atlan.
Sync Atlan roles from OIDC or SAML claims so each user's role updates automatically on every sign-in, without manual edits.
Fix the most common IdP group sync problems in Atlan, including groups not syncing, wrong members, and stale memberships after an IdP change.
Learn about troubleshooting salesforce connectivity.
Why is the security\_admin role required to complete the ServiceNow integration?
The lock icon in Atlan indicates when users have limited access to an asset. This page explains what the icon means and how roles, connection admins, and access policies affect it.
View and filter events received from connectors in Atlan to track lineage and observability data. Event logs are stored for 7 days.
Track all queries run in Atlan from the query editor, API, and sample data previews. Includes run status, user, connection, and timing. Query logs are retained for the lifetime of your Atlan instance.
Groups in Atlan bundle users together so you can assign personas, purposes, and roles to a whole team at once instead of editing individuals one by one.
Tags in Atlan classify data assets — use them to identify sensitive data (PII, confidential), group assets by domain, and drive granular access control through purposes.
Learn what Atlan enriches from Immuta and how it surfaces on asset profiles.