Tags
Tag-Based Access Control (TBAC) in Amorphic is a feature that helps users to efficiently share and manage data catalog resources at scale. TBAC co-exists with existing Role-Based Access Control (RBAC), however users have to select at the time of resource creation which access control mechanism they prefer.
Amorphic TBAC provides the following capabilities:
- By associating Tags with users, administrators can grant users access to specific data catalog resources that match their assigned tags. This provides a dynamic and scalable access control mechanism.
- For S3 datasets, users can assign tags to individual files, thus enabling granular access control within the same dataset.
- Currently TBAC is supported for only S3 and LakeFormation datasets.
- Adding existing non-TBAC datasets to tags is not supported; users should create a new dataset with tags.
What is a Tag?
In Amorphic, each tag is a resource which consists of a Tag Name and up to 5 Tag Values. Each unique combination of Tag Name and Tag Value can then be attached to multiple data catalog resources as well as users within Amorphic. An access type: owner or read-only must be specified when tagging a resource.
Example
Suppose you have the following Tag Name and Tag Value combinations:
Tag Name: department
Tag Values: sales, finance, legal
These combinations can be attached to various resources and users in the system. For instance:
Tagging a dataset with department: sales and access type as owner associates it with the sales department.
Assigning the same tag to a user grants them access to all read-only & owner datasets tagged with department: sales.
Each resource can have a maximum of 5 unique combinations of Tag Name & Tag Value attached to it.
Amorphic TBAC Tag contains the following information:
Tag Metadata Information
| Type | Description |
|---|---|
| Tag Name | The unique name identifying the tag. Can be a maximum of 24 characters. Allowed characters are lowercase letters, numbers and + - . _ |
| Tag Values | The list of values associated with the tag. Up to 5 values per tag. Each tag value can be a maximum of 24 characters and allowed characters are lowercase letters, numbers and + - . _ |
| Tag Description | A brief explanation of the tag's purpose. |
| Users Attached | The list of users who have access to the tag. |
| Resources Attached | The list of resources attached to the tag. |
| CreatedBy | The user who created the tag. |
| LastModifiedBy | The user who last updated the tag. |
Tag Operations
Along with Amorphic TBAC, you can perform basic CRUD operations (shown in the below table) on a tag if you have sufficient permissions.
| Functionality | Description |
|---|---|
| Create Tag | Create a Tag by specifying Name & Value(s) |
| View Tag | View existing Tag Metadata Information |
| Update Tag | Update values or description of a Tag |
| Delete Tag | Delete an existing Tag |
| Update Users Attached | Grant users access to a particular Tag Name: Tag Value combination |
| Update Resources Attached | Update resources attached to a particular Tag Name: Tag Value combination |
Removing an existing Tag Value during Tag Updation as well as deletion of an existing Tag is not allowed if any resources are attached to that Tag Value or Tag respectively. Use the Update Resources Attached functionality to remove all resources first before proceeding with the Tag update or delete.
How to create a Tag?
To create a new tag in Amorphic, follow these steps:
- Go to the
Managementmenu and selectTags. - Click on the
Create Tagbutton. - Fill in the information required, such as Tag Name & Tag Value(s)
- Click on
Createto create the new Tag.
How to update users attached to a Tag?
- Under Values Tab, click on
Actionfor the corresponding Tag Value - Click on the
Update Users Attachedbutton. - Add or remove users as desired using the dropdown list.
- Click on
Update.
How to update resources attached to a Tag?
- Under Values Tab, click on
Actionfor the corresponding Tag Value - Click on the
Update Resources Attachedbutton. - Add or remove datasets to owner or read-only access fields as desired.
- Click on
Update.
This is as asynchronous process and user will receive an email once the tag updation is complete.
When updating users or resources attached with a tag:
- All users must have domain access for all datasets attached to the tag.
- If a dataset has only 1 tag with owner access attached to it, it cannot be removed.