Data Access Management

The Data Access Management sub-module controls all Access Management operations at the platform level.

Crawl

An instance-level Data Access Admin can crawl users, roles, groups, and associated permissions and policies across databases, schemas, tables, and other metadata objects on all Redshift connectors configured within the same instance.

Database and Schema: Provides checkbox options to select specific databases and schemas for crawling. The interface displays selection status in the format (selected/total).

Schedule: In addition to manual crawls, instance-level Data Access Admin can schedule crawls at defined intervals. This enables periodic sync with the source system and supports consistent access governance.

Grouping of connectors by instance

The created connectors are grouped in the Data Access module according to the associated server instance, shown in a hierarchical tree view on the left side of the page. The tabs displayed for each instance level vary depending on the type of connector.

For Redshift, the connectors tab lists all connectors hosted under this instance. Connectors are visible in addition to the Instance Details.

Instance Details

The Instance Detail screen displays five tabs:

Instance Summary Tab

The Instance Summary tab serves as the landing page for Redshift connectors at the instance level. It displays all the connection parameters configured during connector setup. Parameters such as Select Bridge, Connection String, Username, Password, Database, and Credential Manager can be modified if required. Parameters such as server and port cannot be modified.

Instance Data Access Admins

Instance Data Access Admins display a list of all Instance Data Access Administrators associated with different connectors in the instance.

To add or modify Instance Data Access Admins:

• In the Instance Data Access Admins section, click the pencil icon.

• Select one or more roles from the list.

• Click Save to apply changes.

Role Settings Tab

Allow Add/Edit of Redshift Roles: When enabled, the selected role can create new Redshift roles or modify existing ones within the platform.

Allow Delete of Redshift Roles: When enabled, the selected role can delete Redshift roles from the platform.

To add or edit Role Settings:

• In the Role Settings tab, click the pencil icon.

• Use the checkboxes to enable:

  • Allow Add/Edit of Redshift Roles

  • Allow Delete of Redshift Roles

• In Immutable Redshift Roles, select one or more roles from the list.

• Click Save to apply the changes.

Group Settings Tab

Allow Add/Edit of Redshift Groups: When enabled, the selected role can create new Redshift Groups or modify existing ones within the platform.

Allow Delete of Redshift Groups: When enabled, the selected role can delete Redshift Groups from the platform.

To configure Group Settings:

• Go to the Group Settings tab.

• Click the pencil icon to open the edit window.

• Use the checkboxes to enable the following options for the selected role:

  • Allow Add/Edit of Redshift Groups: Grants permission to create or modify Redshift groups.

  • Allow Delete of Redshift Groups: Grants permission to delete Redshift groups.

• Under Immutable Redshift Groups Roles, select one or more roles to protect from modification or deletion.

• Click Save to apply the changes.

User Settings Tab

Allow Add/Edit of Redshift Users: When enabled, the selected role can create new Redshift Users or modify existing ones within the platform.

Allow Delete of Redshift Users: When enabled, the selected role can delete Redshift Users from the platform.

To configure User Settings:

• Go to the User Settings tab.

• Click the pencil icon to open the edit window.

• Use the checkboxes to enable the following options for the selected role:

  • Allow Add/Edit of Redshift Users: Grants permission to create or modify Redshift Users.

  • Allow Delete of Redshift Users: Grants permission to delete Redshift Users.

• Under Immutable Redshift Users Roles, select one or more roles to protect from modification or deletion.

• Click Save to apply the changes.

Notification Tab

Click the pencil icon to configure recipients for each activity notification:

• Use the toggle buttons to enable or disable the following notifications:

  • Changes to Roles/Groups/Users during crawling (source system sync)

  • Changes to Roles/Groups/Users from Data Access Management

  • Configure notifications for Data Access Admin

• Select specific application users, teams, or roles as recipients of notifications.

• Notifications will be sent to the selected recipients based on the configured settings.

• Click Save to apply the changes.

Other Settings

To configure Query Timeout (in seconds):

• Go to the Other Settings tab.

• Click the pencil icon to enable editing.

• In the Query Timeout (in seconds) field, manually enter the desired timeout value in seconds.

• This defines how long the system should wait for a query to complete before timing out.

• Click Save to apply the changes.

Connectors Tab

The Connector tab displays a list of all configured Redshift connectors associated with an instance.

Attributes:

• Connector ID: Shows the unique identifier for the connector.

• Connection Name: Shows the configured name of the Redshift connection.

• Database: Indicates the name of the connected database.

• Last Crawled Date: Captures the most recent date and time of metadata crawl.

The system displays a hierarchical tree where all connectors appear under the instance. Click the connector name to open the connector-level screen.

Roles Tab

The Roles tab displays all roles from Redshift after the metadata crawl is complete. This tab allows data administrators to review role definitions, privilege mappings, and role hierarchies as captured from the source system.

Attributes:

• Redshift Role: Displays the name of the role as defined in Redshift.

• Role Type: Indicates whether the role is system-defined or custom.

• Account Privileges: Lists the account-level privileges assigned to the role.

• Source: Identifies the source connector from which the role was crawled.

• Application Created Date: Shows the date and time the role was crawled into the application.

• Application Role: Indicates whether a role with the same name already exists in the application. If a match exists, the roles are synchronized and treated as a single entity across the system.

Groups Tab

The Groups tab lists all groups detected in Redshift during the metadata crawl. This tab enables data administrators to review group identities, role associations, and relevant access configurations retrieved from the source system.

Attributes:

• Redshift Group: Displays the Group name as defined in Redshift.

• Users: Displays the user's name or display, if available.

• Source: Identifies the connector or source system from which the group was crawled.

• Application Created Date: Shows the date and time the group was crawled into the application.

Users Tab

The Users tab lists all users detected in Redshift during the metadata crawl. This tab enables data administrators to review user identities, role associations, and relevant access configurations retrieved from the source system.

Attributes:

• Redshift Username: Displays the username as defined in Amazon Redshift.

• Groups: Indicates the group associated with the user for accessing Redshift.

• Roles: Displays the roles assigned to the user in Redshift.

• Password Expiry On: Shows the date when the user's password is set to expire.

• User Privileges: Lists the privileges granted to the user within the Redshift environment.

• Application Created Date: Shows the date and time the user was crawled into the application.

• Application User: Indicates whether a user with the same name already exists in the application. If a match exists, the users are synchronized and treated as a single entity across the system.

Connector Level

The following tabs are displayed for each connector level. Navigate to a connector under each server instance in the left-side hierarchical Data Access Management grouping.

Connector Details

Below are its listed sub-tabs:

Summary Tab

The Connector Data Access Admin (DAA) can configure access management settings for the Redshift connector from the Summary tab. This includes managing permissions for metadata objects and defining synchronization settings between Redshift and the application.

Access Management

Enable the Access Management checkbox to configure Redshift permissions and policy settings within the application.

Permission Controls Available under Access Management

Click the pencil icon to enable or disable specific permission controls. Select the required options and click Save to apply the changes.

• Manage Database Permissions Allows configuration of user and role-level permissions on Redshift databases from within the application.

• Manage Schema Permissions Enables management of access permissions at the schema level, providing control over who can access or modify schema metadata.

• Manage Table Permissions Allows permission management on individual Redshift tables, including assigning or revoking access.

• Manage Table Column Permissions Enables permission control at the column level, helping enforce fine-grained data access policies.

• Manage and Assign Masking Policies Supports defining and assigning masking policies to protect sensitive data in Redshift columns.

• Manage and Assign Row Access Policies Allows creation and assignment of row-level access policies to restrict data visibility based on user roles or attributes.

• Sync Redshift Permissions to Application Permissions Reflects Redshift-assigned permissions directly in the application, ensuring aligned access governance.

• Sync Redshift Masking Policies to Application Policies Imports existing Redshift masking policies into the application for centralized visibility and monitoring.

• Sync Application Masking Policies to Redshift Policies Pushes masking policies defined in the application back into Redshift, supporting two-way policy synchronization.

Connector Data Access Admins

Displays the list of Data Access Admins at the connector level.

• Click the pencil icon next to the connector to open the admin configuration.

• Choose one or more roles from the list to assign as Data Access Admins.

• Click Save to confirm and apply the changes.

Permissions Tab

The Permissions tab displays the mapping of Redshift permissions across databases, schemas, tables, and Table Columns to corresponding application-specific permissions. This mapping provides a unified view of access control, making it easier to understand and manage user privileges across both systems.

For example, a SELECT permission on a Redshift table corresponds to Meta Read and Data Read permissions within the application. This ensures that source-level access aligns with the application’s internal permission model for consistent governance.

Notification Tab

The Notification tab allows configuration of alerts related to user, group, role, and permission changes detected during metadata crawling or performed within the application. This ensures that Data Access Admins and other designated stakeholders stay informed about critical access updates.

• Click the pencil icon to configure notification settings for each activity. Use the toggle buttons to enable or disable the following notifications:

  • Changes to Permissions of Databases, Schemas, Tables, Columns, policy associations during crawling (source system sync)

  • Changes to Row Access Policies, Masking Policies (source system sync)

  • Changes to Permissions of Databases, Schemas, Tables, Columns, policy associations from Data Access Management

  • Changes to Row Access Policies, Masking Policies from Data Access Management

  • Configure notifications for Data Access Admins

• Select individual application users, teams, or roles to receive notifications. Notifications will be delivered based on the selected recipients and saved settings.

• Click Save to apply the notification configurations.

Databases Tab

The Databases tab provides a consolidated view of Redshift roles/groups/users associated with each configured database. It allows administrators to monitor and analyze access at the database level.

Attributes:

• Database: Displays the name of the Redshift database.

• Roles/Groups/Users: Lists the Roles/Groups/Users that have access to the database.

• Permissions: Displays the specific privileges assigned to each Roles/Groups/Users within the database.

Schemas Tab

The Schema tab provides a consolidated view of Redshift roles/groups/users associated with each configured schema. It helps administrators assess user/group access and role assignments at the database level.

Each user includes the following attributes:

• Schema: Displays the schema within the Redshift database that the user can access.

• Roles/Groups/Users: Lists the roles/groups/users assigned within the context of the database.

• Permissions: Shows the specific privileges granted to the roles/groups/users on the schema or its objects.

Tables Tab

The Tables tab displays all Redshift tables crawled into the application, along with the roles, groups, and users assigned permissions on each table. Permissions are organized by role, offering clear visibility into access control.

Attributes:

• Schema: Shows the schema where the table resides.

• Type: Indicates whether the object is a Table, View, or Materialized View.

• Table: Displays the name of the table.

• Roles/Groups/Users: Lists the roles, groups, and users assigned to the table, along with the respective permissions.

• Permissions: Displays the specific permissions granted to each role, group, or user on the table.

• Row Access Policy: Shows the row-level access policy applied to the table, if available.

Tables Columns Tab

The Table Columns tab provides detailed insights into individual columns within Redshift tables, including the data types, masking policies applied, and associated tags. This view supports column-level access governance and data sensitivity tracking.

Attributes:

• Schema: Displays the schema containing the table.

• Table: Shows the name of the table to which the column belongs.

• Table Column: Indicates the name of the specific column.

• Column Type: Displays the data type of the column.

• Roles/Groups/Users: Lists the roles, groups, and users with access to the column.

• Permissions: Shows the permissions granted to each role, group, or user on the column.

Masking Policies Tab

The Masking Policies tab displays all masking policies defined or crawled from Redshift, along with the configurations and associations. This tab enables administrators to manage data obfuscation rules, ensuring sensitive data is protected based on user roles and access levels.

Attributes:

• Policy: Displays the name of the masking policy.

• Policy SQL: Shows the SQL logic defined in the policy.

• Policy Scheme: Indicates the structure or format of the masking logic.

• Data Type: Specifies the data type to which the policy applies.

• Database: Displays the database where the policy is defined.

• Policy Type: Indicates the category of policy.

• Source: Specifies the origin system where the change occurred.

• Created Date: Records when the policy was created.

• Updated By: Indicates the user who last modified the policy.

Row Access Policies Tab

The Row Access Policies tab displays all row-level access control policies that have been defined or crawled from Redshift. These policies restrict data visibility based on user roles or conditions, helping enforce fine-grained access control.

Attributes:

• Policy: Displays the name of the row access policy.

• Policy SQL: Shows the SQL logic used to define row-level access conditions.

• Database: Indicates the database where the policy is created.

• Source: Specifies the origin system where the change occurred.

• Created Date: Displays when the policy was created.

• Updated By: Shows who last modified the policy.

Copyright © 2025, OvalEdge LLC, Peachtree Corners GA USA