본문으로 건너뛰기
Admin Path

First FGAC policy — column masking + row filtering

Author and apply your first FGAC policy combining column masking (e.g. salary visible to HR only) and row filtering (e.g. each rep sees their own region) on the same dataset.

9 min

Role + collection ceiling control access itself (Lesson 1). This lesson covers FGAC (Fine-Grained Access Control) — the layer that narrows what's visible within the same dataset differently per user.

The two problems FGAC solves

  • Column masking — When a sensitive column sits inside a dataset. Example: salary in an HR dataset, phone_number in a customer dataset. Visible to HR, hidden from the analyst group.
  • Row filtering — When the visible rows differ by user permission. Example: a sales rep sees only their own region, a store manager sees only their own store.

Both patterns keep the dataset itself as one and only differ the visible slice per user. Copying the dataset per group creates sync issues on source updates — FGAC dissolves that with one policy.

Scenario — the customer_analytics dataset

This lesson's exercise uses the customer_analytics dataset from the ecommerce workshop. Columns: customer_id, name, email, tier, region, total_spend, segment.

You'll author two policies at once.

  1. Column masking: Only the marketing group sees email in cleartext. The analyst group sees a masked @.com form.
  2. Row filtering: Members of the sales rep group see only their own region.

Authoring the policy — in portal Settings

Go to Settings → Policies in portal and click + Add policy. A policy has two areas — target dataset + apply conditions.

Column masking policy

  • Namecustomer_analytics_email_mask (snake_case)
  • AliasCustomer Email Mask
  • Apply target — Column email in dataset customer_analytics
  • Apply condition — User group is not a member of the marketing group
  • Masking pattern***@***.com (regex or pre-defined pattern)

Save and the policy is immediately active — analyst-group members opening customer_analytics preview see the email column masked.

Row filter policy

  • Namecustomer_analytics_region_filter
  • AliasRegion row filter
  • Apply target — Dataset customer_analytics
  • Apply condition — User group is a member of the sales rep group
  • Row filter expressionregion = ${user.region} — only rows matching the user attribute (IdP claim or portal group attribute) region

Save, and sales-rep members see only rows for their own region.

Self-check

  • Log in as an analyst-group member (or use the permission simulation feature) → the email column on customer_analytics is masked.
  • Same attempt as a sales-rep member → rows are filtered to that rep's region only.
  • Marketing-group member → email shows in cleartext.

Three out of three — lesson done.

What you should be able to do after this lesson

  • The two FGAC patterns — column masking vs row filtering
  • The two policy areas — target + condition
  • The operational rule that multiple policies stack

Next lesson

After a policy goes live, the change → impact verification → staged rollout operational flow.