Balance Data Access and Security
Learning Objectives
After completing this unit, you’ll be able to:
- Describe the purpose of data access control and data access policies.
- List the capabilities of data access management in Cloud Data Governance and Catalog.
Navigate the Duo of Metadata Control and Data Security
In the era of data-driven decision-making, the greatest challenge for any organization is balancing accessibility with security. Within Informatica Cloud Data Governance and Catalog (CDGC), this balance is struck through two distinct yet complementary disciplines: data access control and data access management. While they sound similar, they represent a vital shift from merely managing who can discover information about your data to enforcing who can actually manage the data itself. They govern two completely different things: metadata versus data.
Metadata Versus Data
Review the difference between controlling information about the data and managing the raw data itself.
- Data access control (the metadata): This happens in the Metadata Command Center (MCC) and manages catalog visibility. It ensures that when users like Maria log in, they only discover the assets they’re authorized to know about.
- Data access management (the raw data): This protects the actual data values—such as columns for salary information or tax identification number—sitting in Alpine Group’s cloud data warehouse.
Control Visibility in the Command Center
Metadata Command Center is the behind-the-scenes control room where Mateo manages visibility. It prevents the catalog from becoming a cluttered mess of irrelevant or sensitive data for the average user. It uses policy-based access control, where Mateo defines who can access what under specific conditions.
To make this efficient, Mateo uses asset groups. Asset groups are logical buckets that let you bundle different pieces of data together. Instead of setting security rules for thousands of individual tables one by one (which would take forever), Mateo groups them by something they have in common, like Finance Data or Private Customer Info. Once he creates a group, he only has to write one security rule to cover everything inside it. It’s a huge timesaver that ensures the right people have access to the right data across your entire catalog.
What’s policy-based access control? Instead of giving permissions person-by-person, policy-based access control relies on three things.
- The person (who): For example, anyone in the Marketing Team
- The group (what): For example, the Public Campaign Data asset group
- The action (can they?): For example, Can Read or Can Write
For example, if a user is in the HR department, then they can view the Employee Records group. If they are not in HR, that table is hidden.
By using policies, you don’t have to worry when a new person joins the company. You just add them to the HR Department role, and the policies automatically give them the right keys to the right sections.
Manage the Raw Data
Data access management (DAM) is a specialized module within CDGC. It considers the metadata to protect the raw values residing in your cloud data warehouse such as Snowflake, Databricks, and so on. It protects the actual data values, such as salary information and tax identification numbers.
The DAM page allows you to create automated rules to protect and control how your organization uses data. By building these policies, you ensure that data is handled efficiently and safely across different platforms, such as data integration pipelines, self-service marketplaces, or directly within cloud databases.
How Data Is Protected
Policies protect information by controlling who can view it and using de-identification (masking) to hide sensitive details without making the data useless. Mateo can create three main types of policies.
- Data de-identification policies: These mask specific sensitive elements (such as names or ID numbers) based on the requirement.
- Data filter policies: These limit access to specific rows of data within a set.
- Data access control policies: These grant specific groups read, write, or delete permissions. These are “pushed down” directly into cloud platforms such as Snowflake, Databricks, or Amazon Redshift for instant enforcement.
Balance Privacy and Utility
The goal is to keep data useful while protecting privacy. Instead of applying the same strict mask to everything, you use rules. Rules are the building blocks of policies. They review the context (who is asking for the data and why) to decide which protection technique to use. For example, a researcher might see blurred dates, while a manager sees exact ones.
Where Policies Are Enforced
Depending on your setup, these protections are triggered in three main areas.
- Data integration: When developers build data pipelines, they can include an access policy step that automatically masks or filters data as it moves.
- Data marketplace: When users shop for data, the system checks the order details and applies the relevant filters and masking before the user receives the collection.
- Cloud platforms: For direct database queries, data access management sends the rules straight to the source system, such as Microsoft Fabric or Redshift, to ensure the data is protected at the root level.
Congratulations! By using CDGC, Alpine Group transformed its massive data junk drawer into a secure, high-speed goldmine. Maria can now launch her marketing campaigns with total confidence in her metrics, while Mateo rests easy knowing sensitive information is protected.
You’re now familiar with the core functionalities of CDGC. You use this knowledge to further build your foundation on governance and data protection.