Skip to main content
Version: v2.5 print this page

Tags

Tag-Based Access Control (TBAC) in Amorphic is a feature that helps users to efficiently share and manage data catalog resources at scale. TBAC co-exists with existing Role-Based Access Control (RBAC), however users have to select at the time of resource creation which access control mechanism they prefer.

Amorphic TBAC provides the following capabilities:

  • By associating Tags with users, administrators can grant users access to specific data catalog resources that match their assigned tags. This provides a dynamic and scalable access control mechanism.
  • For S3 datasets, users can assign tags to individual files, thus enabling granular access control within the same dataset.
info
  • Currently TBAC is supported for only S3 and LakeFormation datasets.
  • Adding existing non-TBAC datasets to tags is not supported; users should create a new dataset with tags.

What is a Tag?

In Amorphic, each tag is a resource which consists of a Tag Name and up to 5 Tag Values. Each unique combination of Tag Name and Tag Value can then be attached to multiple data catalog resources as well as users within Amorphic. An access type: owner or read-only must be specified when tagging a resource.

Example

Suppose you have the following Tag Name and Tag Value combinations:

Tag Name: department
Tag Values: sales, finance, legal
These combinations can be attached to various resources and users in the system. For instance:

Tagging a dataset with department: sales and access type as owner associates it with the sales department. Assigning the same tag to a user grants them access to all read-only & owner datasets tagged with department: sales.

info

Each resource can have a maximum of 5 unique combinations of Tag Name & Tag Value attached to it.

Amorphic TBAC Tag contains the following information:

Tag Metadata Information

TypeDescription
Tag NameThe unique name identifying the tag. Can be a maximum of 24 characters. Allowed characters are lowercase letters, numbers and + - . _
Tag ValuesThe list of values associated with the tag. Up to 5 values per tag. Each tag value can be a maximum of 24 characters and allowed characters are lowercase letters, numbers and + - . _
Tag DescriptionA brief explanation of the tag's purpose.
Users AttachedThe list of users who have access to the tag.
Resources AttachedThe list of resources attached to the tag.
CreatedByThe user who created the tag.
LastModifiedByThe user who last updated the tag.

Tag Operations

Along with Amorphic TBAC, you can perform basic CRUD operations (shown in the below table) on a tag if you have sufficient permissions.

Tag Details

FunctionalityDescription
Create TagCreate a Tag by specifying Name & Value(s)
View TagView existing Tag Metadata Information
Update TagUpdate values or description of a Tag
Delete TagDelete an existing Tag
Update Users AttachedGrant users access to a particular Tag Name: Tag Value combination
Update Resources AttachedUpdate resources attached to a particular Tag Name: Tag Value combination
info

Removing an existing Tag Value during Tag Updation as well as deletion of an existing Tag is not allowed if any resources are attached to that Tag Value or Tag respectively. Use the Update Resources Attached functionality to remove all resources first before proceeding with the Tag update or delete.

How to create a Tag?

Create tags

To create a new tag in Amorphic, follow these steps:

  1. Go to the Management menu and select Tags.
  2. Click on the Create Tag button.
  3. Fill in the information required, such as Tag Name & Tag Value(s)
  4. Click on Create to create the new Tag.

How to update users attached to a Tag?

  1. Under Values Tab, click on Action for the corresponding Tag Value
  2. Click on the Update Users Attached button.
  3. Add or remove users as desired using the dropdown list.
  4. Click on Update.

TBAC User Update

How to update resources attached to a Tag?

  1. Under Values Tab, click on Action for the corresponding Tag Value
  2. Click on the Update Resources Attached button.
  3. Add or remove datasets to owner or read-only access fields as desired.
  4. Click on Update.

This is as asynchronous process and user will receive an email once the tag updation is complete.

TBAC User Update

info

When updating users or resources attached with a tag:

  1. All users must have domain access for all datasets attached to the tag.
  2. If a dataset has only 1 tag with owner access attached to it, it cannot be removed.
Tags:
Last updated on by Abdul Khader