Column-Level Security (Beta)
This features is currently in Beta and subject to quick, iterative changes. As a result, the latest product version may differ from the content of this document. To request enablement of the feature, contact your Sigma Account Executive or submit a request to Support.
This document explains how to use User Attributes to enforce Column-Level Security.
Summary of Content
Configure Column-Level Security
Set User Attributes in Dataset
Requirements
- You must be an organization Admin to configure User Attributes; see Account types.
- Users with Can Edit or Can Explore access to a workbook or dataset can reference existing user attributes in functions.
- You should not use User Attributes in a Materialized Dataset as this can cause undesirable results or errors.
Column-Level Security
Column-Level Security provides granular control over data access which allows you the flexibility to restrict or grant access to column-level data. This ensures that the security of sensitive or confidential information is only accessible to authorized users.
Column-Level Security (CLS) is managed through team membership and user attributes. When user attributes are used to set CLS, it allows you to dynamically set the column visibility based on the attribute value set for teams.
CLS can also be used to allow access to individual columns within a table to different embed clients.
Column-Level Security provides the following benefits:
- Secures columns that contain sensitive information, such as personal identifiers (e.g., social security numbers), financial data or medical records.
- Data sharing and collaboration: Column-Level Security enables controlled data sharing and collaboration. Organizations can share specific columns with external parties or partners without exposing the entire dataset.
- Data Confidentiality in Multi-Tenant Environments: In multi-tenant systems or cloud-based environments, where multiple clients or orgs share the same infrastructure, CLS ensures that each tenant's data remains isolated and protected from other tenants.
- Data Masking and Anonymization: Column-Level Security can be combined with data masking and anonymization techniques to protect sensitive data and still allow certain authorized users to work with pseudo or obfuscated values.
Configure Column-Level Security
Configuring Column-Level Security is a multi-step process. The Example Configuration section contextualizes the steps below.
- Create a dataset. See, Create Datasets for more info.
- Create user attributes.
- Assign a user attribute to teams.
- Set the column in a dataset to the user attribute to enforce security.
CLS does not currently support the dataset's worksheet tab.
Create User Attributes
Follow the steps below to create a User Attribute.
- In your Sigma Admin portal, go to User Attributes and click Create Attribute.
- In the New Attribute section, enter a unique name in the Name field.
- In the Description field, describe the attribute. Optional.
- In the Default Value field, enter a default value. Sigma will use the value defined here if no value is set for a team.Optional.
It's highly recommended that you set a default value for user attributes when configuring for CLS. If you don't set a value it defaults to (2) Restricted. Restricted = column is hidden from view.
- Click Create.
- After you click Create, the attribute appears under User Attributes.
Assign teams
Follow the steps below to assign a team to a User Attribute.
- In the Teams Assigned section, click Assign Attribute to assign teams to this attribute.
- In the search bar, search for teams to assign this attribute to, or click in the search bar to view a list of your organization's teams; see Teams.
- Add a value in the Assigned Value field.
The value you add in the Assigned Value field maps to a preexisting value. Set the value to determine the visibility of the data by team. By doing this, you're managing CLS through team membership and user attributes.
- 0- If you assign 0 to the team, the column data is visible to the team.
- 1- If you assign 1 to the team, the column data isn't added by default to the workbook.
- 2- If you assign 2 to the team, the column isn't included.
- Click Assign. Your teams are now listed under Teams Assigned.
- To reorder the priority of teams, in the Teams Assigned section, place your cursor over the drag handle
under the Priority column, and drag and drop the team to the desired priority.
Grant permissions to teams
In the dataset, you must grant permission to the teams that will access it.
- On the dataset, go to the Permissions tab.
- Click Add Permission.
- Enter the team name and grant a permission level. The level of permission you assign to a team doesn't affect column security.
Set User Attribute in Dataset
Follow the instructions below to set the user attribute in a dataset.
- Open your dataset, click Edit, and click the Columns tab.
- In the Visibility column, click the dropdown for the desired column and select the user attribute you previously created.
- After you select the attribute you wish to apply to the column, click Publish.
Create a workbook
After the dataset is configured, you now create a workbook that leverages the dataset created above.
- Go to My Documents > Create New > Workbook > click Table > Tables and Datasets.
- Click My Documents and browse and select the dataset you recently created.
- After the workbook loads, click Select.
- Click Save As to save your workbook and name it.
- Share the workbook with the teams that require access.
Example configuration
To demonstrate how to implement Column-Level Security, we will use an example. In a sales org, there is a team that requires access to data in a specific column and a team that shouldn't see the data in the same column.
To enforce this security configuration, the sales org first creates a dataset and follows the instructions above to create a user attribute. For our example, we created a user attribute called CLS_Test. We then assigned the attribute to Prashant Team and entered 0 for the Attribute Value. Charlie's Team was also added and we entered 2 for the Attribute Value.
Now, we open the dataset, go to the Column tab, and set the Domain column to the CLS_Test attribute. When we set this attribute, we enforce CLS through team membership and user attributes.
We then create a workbook that leverages the dataset and share it with the two teams.
As noted above, a 0 value sets the column to Included. Since Prashant Team's Attribute Value is set to 0, they see the Domain column.
Prashant Team
Charlie Team doesn't see actual values in the Domain column. The values are obfuscated with "invalid query" text because their Attribute Value is set to 2, which restricts the values in the column.
Charlie Team
For Live Edit, restricted users can see the column name in live edit sessions if other live edit users can access the column.