How to determine permissions

This table shows the level of access that is required to view or perform actions on Data Lake data:
Action Access control Data security level Additional information
Extracting and validating data
View data in Data Lake Data Lake > Atlas Object or property access
View a raw data object Data Lake > Atlas Object access
Download a data object Data Lake > Atlas > Download Object access
View your Purge logs Data Lake > Purge Not applicable Users can view purge logs only for data objects that they have purged.
View all Purge logs Data Lake > Purge > View all Purge Logs Not applicable This access control applies only if data security is enabled for the tenant. If disabled, any user with access to the Purge page can view all purge logs.
View data reconciliations Data Lake > Data Ledger Object or property access
Data Lake Retrieval APIs Not applicable Object or property access To retrieve a raw data object from Data Lake, object access is required.
Data Lake Stats APIs Not applicable Object or property access Security is applied only to the /topObjects API.
Querying data
Query data in Data Lake Data Lake > Compass
Note: If Lakehouse is enabled in your tenant, you must have the Query Data Lake permission granted.
Object or property access With object access, you can query all data inside an object, including new properties that are added during the schema update.

With property access, you can query only the properties to which you are entitled. For example, the SELECT * statement on a table with the set property access grants you access only to permitted columns.

No specific permissions are required to query archived data.

Object access is required to run stored procedures on an object.

Table and column functions, hints, and other queries produce results only if you have object or property access.
Compass user interface (UI) Data Lake > Compass Object or property access Security access permissions determine the list of objects and properties, and auto-complete and context menu options.
Compass API and JDBC Data Lake > Compass
Note: Applicable only when data security is enabled for the tenant.
 Object or property access Data security is enforced for v1 and v2 APIs and for the JDBC driver.

Object and property access is identical as for the Query data in Data Lake action.
Compass views: user interface, API, JDBC
Create views Data Lake > Compass > Manage views
Note: Applicable only when data security is enabled.
 Object or property access You must have access to objects and properties that are used within the view.

The result of running the SELECT * in the CREATE VIEW statement shows in the final view only the properties to which you are entitled.

After you created a view, appropriate permissions to the view must be set on the Security page to use the view in a SELECT query. If you have access to the Security page, a link to it is displayed in the message that confirms the creation of the view.
Alter views Data Lake > Compass > Manage views Object or property access To alter a view, you must have these access levels granted:
  • Object access to the view
  • Access to objects and properties that are used within the view
Drop views Data Lake > Compass > Manage views Object access To drop a view, you must have object access to the view.
Managing data
Mark data as corrupt Data Lake > Atlas > Mark corrupt Object access
Purge data To purge from Atlas, select Data Lake > Atlas > Purge data. To purge from the Purge page, select Data Lake > Purge > Purge by ID or Data Lake > Purge > Purge by filter. Object access To purge data by ID or filter, or both, use the Purge page.
Data Lake Management APIs Not applicable Object access
Compass Mode Configuration Data Lake > Compass > Mode Configuration Object or property access

With this access, you can view which Compass mode is used when you query each object.

Although you can view all objects to which you have access, you can change the mode configuration only for objects to which you have object access.