First FGAC policy — column masking + row filtering
Author and apply your first FGAC policy combining column masking (e.g. salary visible to HR only) and row filtering (e.g. each rep sees their own region) on the same dataset.
Role + collection ceiling control access itself (Lesson 1). This lesson covers FGAC (Fine-Grained Access Control) — the layer that narrows what's visible within the same dataset differently per user.
The two problems FGAC solves
- Column masking — When a sensitive column sits inside a dataset. Example:
salaryin an HR dataset,phone_numberin a customer dataset. Visible to HR, hidden from the analyst group. - Row filtering — When the visible rows differ by user permission. Example: a sales rep sees only their own region, a store manager sees only their own store.
Both patterns keep the dataset itself as one and only differ the visible slice per user. Copying the dataset per group creates sync issues on source updates — FGAC dissolves that with one policy.
Scenario — the customer_analytics dataset
This lesson's exercise uses the customer_analytics dataset from the ecommerce workshop. Columns: customer_id, name, email, tier, region, total_spend, segment.
You'll author two policies at once.
- Column masking: Only the marketing group sees
emailin cleartext. The analyst group sees a masked @.com form. - Row filtering: Members of the sales rep group see only their own region.
Authoring the policy — in portal Settings
Go to Settings → Policies in portal and click + Add policy. A policy has two areas — target dataset + apply conditions.
Column masking policy
- Name —
customer_analytics_email_mask(snake_case) - Alias — Customer Email Mask
- Apply target — Column
emailin datasetcustomer_analytics - Apply condition — User group is not a member of the marketing group
- Masking pattern —
***@***.com(regex or pre-defined pattern)
Save and the policy is immediately active — analyst-group members opening customer_analytics preview see the email column masked.
Row filter policy
- Name —
customer_analytics_region_filter - Alias — Region row filter
- Apply target — Dataset
customer_analytics - Apply condition — User group is a member of the sales rep group
- Row filter expression —
region = ${user.region}— only rows matching the user attribute (IdP claim or portal group attribute)region
Save, and sales-rep members see only rows for their own region.
Self-check
- Log in as an analyst-group member (or use the permission simulation feature) → the
emailcolumn oncustomer_analyticsis masked. - Same attempt as a sales-rep member → rows are filtered to that rep's region only.
- Marketing-group member →
emailshows in cleartext.
Three out of three — lesson done.
What you should be able to do after this lesson
- The two FGAC patterns — column masking vs row filtering
- The two policy areas — target + condition
- The operational rule that multiple policies stack
Next lesson
After a policy goes live, the change → impact verification → staged rollout operational flow.