Datazone’s policy system provides flexible, fine-grained access control through role-based permissions. Policies define what actions users can perform on resources, supporting both flat and hierarchical resource patterns with explicit allow/deny rules.
Key Features
Role-based : Policies are bound to roles, not individual usersHierarchical : Support for project-scoped resources (e.g., project:<id>:dataset:*)Explicit deny : Deny statements override allow statementsExtra constraints : Resource-specific restrictions (row-level security, column filtering, path prefixes)Wildcard support : Use * for flexible matching across resources and actionsBranch-aware : Optional branch specification for version control
Policy Structure Each policy consists of one or more statements that define access rules:
{ "resource" : "<string>" , "branch" : "<string | null>" , "actions" : [ "<string>" ], "effect" : "allow" | "deny" , "extra_constraints" : { "<string>" : "<value>" } }
Fields Field Type Description resourcestring Resource pattern (supports wildcards and hierarchical patterns) branchstring | null Optional branch name (defaults to main) actionsarray List of actions in <resource>:<action> format effectenum Either "allow" or "deny" extra_constraintsobject Resource-specific constraints (optional)
Resource Patterns Resources follow a hierarchical pattern that supports various levels of specificity:
Flat Resources Pattern Scope Description *All All resources in the organization datasetType Dataset type (for creation permission) dataset:*All instances All dataset instances dataset:<id>Specific A specific dataset by ID
Hierarchical Resources Hierarchical patterns enable project-scoped permissions:
Pattern Scope Description project:<id>:*All children All entities within the project project:<id>:dataset:*Typed children All datasets within the project project:<id>:dataset:<id>Specific child Specific dataset within the project
Supported Resource Types
dataset - Data tables in the lakehouseproject - Project containersview - Virtual views over datasetsschedule - Automated execution schedulesextract - Data ingestion jobscompute - Compute resourcesapi_key - API authentication keysuser - User accountsrole - User rolesnotebook - Interactive analysis notebookspipeline - Data transformation pipelinesendpoint - REST API endpointsintelligent_app - Dashboard applicationsvariable - Environment variables
Actions Actions follow the <resource>:<action> format and define what operations can be performed:
Action Patterns
dataset:read - Read access to datasetsdataset:write - Modify datasetsdataset:delete - Delete datasetsdataset:execute - Execute operations on datasetsdataset:manage - Full management accessdataset:create - Create new datasetsdataset:* - All dataset actions*:read - Read access to all resources*:* - All actions on all resources
Common Actions Action Description <resource>:readView the resource <resource>:writeModify the resource <resource>:deleteDelete the resource <resource>:createCreate new instances <resource>:executeExecute operations <resource>:manageFull control (includes all above) <resource>:*All actions for that resource
Exceptional Actions
project:read_repository - Read access to project code repositoryendpoint:invoke - Permission to call an API endpoint
Row-Level and Column-Level Security Datazone supports fine-grained data access control through row-level and column-level restrictions using the extra_constraints field. This enables you to restrict what data users can see within a dataset or view, beyond just granting or denying access to the entire resource.
For datasets and views, you can specify columnar constraints:
{ "resource" : "dataset:<object_id>" , "actions" : [ "dataset:read" ], "effect" : "allow" , "extra_constraints" : { "row_level_restrictions" : [ "<SQL condition>" ], "column_level_restrictions" : [ "<column_name>" ] } }
Fields Field Type Description row_level_restrictionsarray of strings SQL WHERE conditions to filter rows - only matching rows are accessible (e.g., ["region = 'US'", "status = 'active'"]) column_level_restrictionsarray of strings Column names to allow - only these columns are accessible (e.g., ["id", "name", "email"])
Row-Level Restrictions Row-level restrictions apply SQL conditions to filter which rows a user can access:
{ "resource" : "dataset:507f1f77bcf86cd799439011" , "actions" : [ "dataset:read" ], "effect" : "allow" , "extra_constraints" : { "row_level_restrictions" : [ "country = 'USA'" , "department = 'Sales'" ] } }
When a user queries this dataset, these conditions are automatically appended to the WHERE clause:
SELECT * FROM dataset WHERE (country = 'USA' ) AND (department = 'Sales' )
Column-Level Restrictions Column-level restrictions specify which columns users can access (allowlist):
{ "resource" : "view:507f1f77bcf86cd799439012" , "actions" : [ "view:read" ], "effect" : "allow" , "extra_constraints" : { "column_level_restrictions" : [ "id" , "name" , "email" , "department" ] } }
Only the specified columns will be accessible in query results. All other columns will be filtered out automatically.
Combined Restrictions You can use both row and column restrictions together:
{ "resource" : "dataset:507f1f77bcf86cd799439011" , "actions" : [ "dataset:read" ], "effect" : "allow" , "extra_constraints" : { "row_level_restrictions" : [ "region = 'EMEA'" ], "column_level_restrictions" : [ "id" , "name" , "region" , "department" ] } }
Important Restrictions for Row/Column-Level Security: When using extra_constraints with row_level_restrictions or column_level_restrictions:
Must target a specific resource : Use dataset:<object_id> or view:<object_id>, not wildcards like dataset:*Read-only actions : Only dataset:read or view:read actions are allowedSingle action : Statement must contain exactly one actionSingle resource : Statement must target exactly one dataset or view Invalid examples:
❌ "resource": "dataset:*" (wildcard not allowed)
❌ "actions": ["dataset:read", "dataset:write"] (multiple actions)
❌ "actions": ["dataset:*"] (wildcard action not allowed)
❌ "actions": ["dataset:write"] (write action not allowed)
Valid example:
✅ "resource": "dataset:507f1f77bcf86cd799439011" with "actions": ["dataset:read"]
Policy Examples Read-Only Access Grant read access to all resources:
{ "name" : "Read-Only Policy" , "statements" : [ { "resource" : "*" , "actions" : [ "*:read" ], "effect" : "allow" } ] }
Dataset Admin Full control over all datasets:
{ "name" : "Dataset Admin" , "statements" : [ { "resource" : "dataset" , "actions" : [ "dataset:create" ], "effect" : "allow" }, { "resource" : "dataset:*" , "actions" : [ "dataset:*" ], "effect" : "allow" } ] }
Project Admin Full control over a specific project and all its resources:
{ "name" : "Project Admin" , "statements" : [ { "resource" : "project:66be5fc75158d037e9970c6d" , "actions" : [ "project:*" ], "effect" : "allow" }, { "resource" : "project:66be5fc75158d037e9970c6d:*" , "actions" : [ "*:*" ], "effect" : "allow" } ] }
This allows the user to:
Manage the project itself (project:*)
Create and manage all child resources (datasets, notebooks, pipelines, etc.)
Restricted Access with Deny Allow read access to all datasets except one specific dataset:
{ "name" : "Restricted Read" , "statements" : [ { "resource" : "dataset:*" , "actions" : [ "dataset:read" ], "effect" : "allow" }, { "resource" : "dataset:507f1f77bcf86cd799439011" , "actions" : [ "dataset:read" ], "effect" : "deny" } ] }
Deny statements always override allow statements, regardless of order.
Project-Scoped Dataset Access Grant access to datasets within a specific project only:
{ "name" : "Project Dataset Access" , "statements" : [ { "resource" : "project:66be5fc75158d037e9970c6d:dataset:*" , "actions" : [ "dataset:read" , "dataset:write" ], "effect" : "allow" } ] }
Data Analyst Role Typical permissions for a data analyst:
{ "name" : "Data Analyst" , "statements" : [ { "resource" : "dataset:*" , "actions" : [ "dataset:read" ], "effect" : "allow" }, { "resource" : "notebook" , "actions" : [ "notebook:create" ], "effect" : "allow" }, { "resource" : "notebook:*" , "actions" : [ "notebook:*" ], "effect" : "allow" }, { "resource" : "view:*" , "actions" : [ "view:read" ], "effect" : "allow" } ] }
Built-in Policies Datazone provides several built-in policies for common use cases:
Admin Policy Full access to all resources:
{ "resource" : "*" , "actions" : [ "*:*" ], "effect" : "allow" }
Best Practices Policy Design
Start restrictive : Begin with minimal permissions and add as neededUse hierarchical patterns : Organize permissions by project for better managementLeverage deny sparingly : Use deny for exceptions to broad allow rulesDocument policies : Add clear descriptions to explain policy intent
Role Assignment
Bind to roles only : Policies are assigned to roles, not individual usersCreate role hierarchies : Use multiple roles for different permission levels (Viewer, Editor, Admin)Audit regularly : Review policy assignments periodically
Cache aware : Policies are cached; changes may take a few seconds to propagateGranular resources : Use specific resource IDs when possible to reduce evaluation complexityMinimize deny statements : They require checking all policies
Security
Principle of least privilege : Grant only necessary permissionsExplicit denies : Use deny statements to override broad allows for sensitive resourcesExtra constraints : Apply row-level and column-level security for sensitive dataPath restrictions : Use path_prefix constraints to sandbox project access
Validation Rules Policies are validated automatically to ensure correctness:
Must follow <resource>:<action> pattern
Both parts must be lowercase with underscores
Wildcards allowed: *:*, dataset:*, *:read
Valid:
dataset:readproject:**:*
Invalid:
dataset (missing action)Dataset:Read (uppercase)read (missing resource)
Resource Pattern
Must be valid resource type or wildcard
ObjectIds must be valid MongoDB ObjectIds
Hierarchical patterns must follow parent:<id>:child format
Valid:
dataset:*project:507f1f77bcf86cd799439011project:507f1f77bcf86cd799439011:dataset:*
Invalid:
dataset:invalid-idproject::dataset:*
Action-Resource Matching Actions must match the resource type they’re applied to:
{ "resource" : "dataset:*" , "actions" : [ "dataset:read" ], // ✓ Valid "effect" : "allow" }
{ "resource" : "dataset:*" , "actions" : [ "project:read" ], // ✗ Invalid - mismatched types "effect" : "allow" }
Exception: Wildcard actions (*:*) can be used on any resource.
Troubleshooting Permission Denied Errors If you encounter permission denied errors:
Check user roles : Verify the user has the appropriate role assignedReview policy statements : Ensure the policy includes the required action and resourceLook for deny statements : Check if an explicit deny is overriding an allowVerify resource IDs : Ensure you’re using the correct resource identifierCheck cache : Wait a few seconds for policy changes to propagate
Hierarchical Permissions Not Working If project-scoped permissions aren’t working:
Verify pattern format : Use project:<id>:* not project:*:<id>Check parent context : Ensure the resource creation includes project referenceReview cache : Hierarchical relationships are cached; wait 5 minutes or invalidate cacheValidate ObjectIds : All IDs must be valid MongoDB ObjectIds
If policy evaluation is slow:
Reduce policy complexity : Simplify nested hierarchiesUse specific resources : Prefer dataset:<id> over broad wildcards when possibleMonitor cache health : Ensure Redis is functioning properlyCheck database queries : Hierarchical policies should use cache, not database
Roles Learn about role management and user assignment
Authentication Understand authentication and token management
API Keys Generate and manage API keys for programmatic access
Projects Organize resources within projects
