Area: Best Practices
Sub-Area: Access Control and Asset Management
Issue
Organizations often need to selectively hide certain assets (such as development tables, temporary datasets, or assets undergoing migration) from general users while maintaining admin visibility for governance and cleanup purposes. This is common during platform migrations, development workflows, or when ingesting assets for analysis that should not be visible to end users.
You Might Be Asking
- How can I hide development or temporary assets from general users?
- Can I restrict access to specific platform instances during migrations?
- What's the best way to manage asset visibility for different user groups?
- How do I implement temporary visibility controls during data platform transitions?
Solution
DataHub provides multiple approaches for controlling asset visibility. Choose the method that best fits your enforcement requirements and organizational structure:
Option 1: Search Access Controls (SAC) with Metadata Policies (Strongest Enforcement)
For hard enforcement where assets must be completely hidden from unauthorized users:
- Enable Search Access Controls (SAC) in your DataHub instance (requires support team assistance for DataHub Cloud)
- Tag assets you want to restrict with a dedicated tag (e.g., "dev", "temporary", or "under_migration")
- Create a metadata policy granting "View Entity Page" privileges only to admin or domain owner groups for assets with that tag
- Modify or scope down the default "All Users - View Entity Page" policy to exclude tagged assets
# Example ingestion recipe with tagging
source:
type: snowflake
config:
# ... connection details
tag_extraction:
enabled: true
tags:
- "dev" # Apply to dev schemas/tables
Option 2: Platform Instance Scoping (For Migration Scenarios)
When using different platform instances (e.g., during Tableau Server to Cloud migration):
- Configure ingestion with dedicated platform instances
- Use metadata policies to restrict access by platform instance
- Create targeted policies for migration teams while restricting general user access
# Tableau Cloud ingestion with platform instance
source:
type: tableau
config:
platform_instance: tableau-cloud
# ... other config
Option 3: Organization Default Views (Softer Enforcement)
For scenarios where soft hiding is sufficient and users can override if needed:
- Create a Global View with filters excluding unwanted assets
- Set this view as the Organization Default
- Users will see filtered results by default but can modify their personal view
# View filter examples:
# Hide platform instance: Platform Instance ≠ tableau-cloud
# Hide tagged assets: Tags ≠ dev, temporary
# Include specific platforms: Platform = snowflake, airflow OR Platform Instance = tableau-cloud
Option 4: Ingestion-Time Filtering (Permanent Exclusion)
For assets that should never appear in DataHub:
# SQL-based source filtering
source:
config:
schema_pattern:
deny:
- ".*_temp"
- "dev_.*"
table_pattern:
deny:
- "tmp_.*"
- ".*_staging"
Bulk Asset Management
For cleanup operations after migrations or when removing deprecated assets:
# Preview deletion
datahub delete by-filter \
--platform tableau \
--platform-instance "" \
--dry-run
# Execute deletion
datahub delete by-filter \
--platform tableau \
--platform-instance "" \
--soft
Additional Notes
Search Access Controls require backend configuration changes in DataHub Cloud and must be enabled by the support team. Once enabled, users with Admin, Editor, or Reader roles bypass SAC policies entirely. For migration scenarios, Organization Default Views provide the right balance of control and flexibility without requiring complex policy management. Always test visibility changes in a staging environment before applying to production. The GraphQL API respects SAC policies, but some SDK methods may not.
Related Documentation
Tags: access-control, visibility, migration, dev-assets, platform-instances, metadata-policies, search-access-controls, views, asset-management, permissions