Only users who have 'ALL' access at the 'CATALOG' scope have access to the Tags page. These users are also able to assign tags to datasets and columns and may create attribute-based access policies using tags. They may grant assigning capabilities to other roles via the Workspace page.
The Tags page allows data administrators to create new tags associated with a namespace, view existing tags, and delete tags. Tags allow you to assign attributes to datasets and columns based on the data they contain, e.g. you may want to tag a dataset containing sales data as 'Sales'. This enables the creation of access policies based on tags. Tagging datasets and columns based on the data they contain will also allow you to provide additional detail about content without having to rely on additional documentation.
Creating a tag¶
To create a new tag, select an existing namespace or create a new one. A namespace acts as a category for grouping similar tags. For example, tags associated with security might be grouped under a namespace called 'Security'.
Once you have specified a namespace, write the name of your new tag in the Tag field and click 'Add'. The new tag will appear in your list of existing tags under the namespace provided.
Deleting a tag¶
To delete an existing tag, hover over the tag you would like to delete and click the 'X' that appears.
Select 'delete tag' if you would like to permanently delete a tag.
Deleting a tag will permanently delete all instances of this tag from your data and will void any policies on this tag.
Deleting tags can affect data security and discoverability.
Creating attribute-based access policies using tags¶
Creating access policies with tags will enable you to grant access based on attributes (e.g. limiting access to data based on its sensitivity level).
You may create attribute-based access policies on the Workspace page. For example:
GRANT SELECT ON TABLE okera_sample.sample HAVING ATTRIBUTE IN (security.high, security.medium) TO ROLE sales_analyst;
You may also remove the key word "IN" and the parentheses and use 'AND' in order to grant more than one tag access policy at a time.
You may also revoke attribute-based access policies on the Workspace page. For example:
REVOKE SELECT ON TABLE okera_sample.sample HAVING ATTRIBUTE security.high AND security.medium FROM ROLE sales_analyst;
Assigning a tag¶
Assigning tags will enable you to clearly indicate the type of data that a dataset or column contains.
Admin users will be able to assign tags by default. To do this, go to the Datasets page and find a dataset or column to tag. To assign tags to a dataset, click on the edit icon next to 'Tags' in the Dataset Details view.
A modal will display a list of tags. Select the checkbox next to a tag to assign it. You may also uncheck a checkbox to remove that tag from the dataset. Click 'Save' when you have finished assigning tags. Tags assigned to a dataset will display on the Dataset Summary Card, as well as in the Dataset Details view.
To assign a tag to a column, open the Dataset Details view and go to the Schema. Under the Tags column, click 'Click to Add' or the edit icon.
Tags cannot be assigned to partitioned columns or to nested fields of complex types.
A modal will display a list of tags. Select the checkbox next to a tag to assign it. You may also uncheck a checkbox to remove that tag from the column. Click 'Save when you have finished assigning tags. Tags assigned to columns will display in the Dataset Details view, but not on the Dataset Summary Card.
Admin users may give other roles the ability to assign tags. You may do this by running commands in the Workspace page.
In order to grant a role the ability to assign a tag, you must grant both add and remove. For example:
GRANT ADD_ATTRIBUTE ON TABLE okera_sample.sample TO ROLE okera_public_role; GRANT REMOVE_ATTRIBUTE ON TABLE okera_sample.sample TO ROLE okera_public_role;
In order to revoke the ability to assign tags, you may revoke either add or remove.
REVOKE ADD_ATTRIBUTE ON TABLE okera_sample.sample FROM ROLE okera_public_role; REVOKE REMOVE_ATTRIBUTE ON TABLE okera_sample.sample FROM ROLE okera_public_role;