Announcing the public preview of attribute based access control (ABAC) in Starburst Galaxy

Fine-grained governance and security to all of your cloud data sources

Last Updated: April 12, 2024

Managing access to data is a fundamental and critical need in any organization that has only increased in importance and complexity with regulatory requirements like GDPR. And the size of data, type of data, and number of people accessing data are all growing at near exponential rates. 

Traditional resource-based access control (RBAC) relies on granting specific groups of people access to particular data assets — like individual tables or columns. Managing access at this level in such a large-scale system becomes a very difficult and time-consuming exercise. 

That’s why we’re thrilled to announce the addition of attribute-based access control (ABAC) to Starburst Galaxy, which brings fine-grained governance and security to all of your cloud data sources. ABAC offers a dynamic and flexible access control framework that aligns security policies with an organization’s business-driven data privacy policies.

Why attribute-based access control (ABAC) is important

At its core, ABAC grants or denies access to resources based on various attributes associated with users, data assets, and other resources. These attributes can encompass a wide range of factors, including user roles, job titles, clearances, time of day, location, and even contextual data like device type or network security level. By leveraging this granular approach, large enterprises can implement fine-grained access control, letting them define precise rules for accessing sensitive information.

The importance of ABAC for large enterprises cannot be overstated. First, it facilitates the implementation of the principle of least privilege (PoLP), ensuring that users are granted only the permissions necessary for their tasks. This helps minimize the potential attack surface and restricts unauthorized users from accessing critical data. Second, ABAC enables dynamic access control, allowing organizations to adapt security policies in real-time as users’ roles and attributes change. 

The agility unlocked with ABAC is vital for large enterprises that deal with complex organizational structures and frequently evolving access requirements.

The fundamentals of access control in Starburst Galaxy

Before diving in, let’s cover the basics. Galaxy’s access control is role-based — meaning every user acts in a specific role at any given time. Roles can be assigned to users, groups, or other roles. Users and groups can be synced with your preferred identity provider.

Roles are then given access to perform certain actions including:

  • Administrative functions
  • Creating, starting, and stopping clusters
  • Managing metadata (including tags)
  • Querying data 

Here’s an example of what a marketing role may look like in Galaxy. You can see that users from the marketing department have all been added to the role via email.

If we navigate to the Privileges tab under the marketing role, we can now see the associated access rights. You’ll notice that in this example marketing can query the customer_stats table but cannot create new tables.

The rest of this blog will focus on how to permit and limit the querying of data with roles and attributes in Starburst Galaxy. 

How to implement ABAC in Starburst Galaxy

Step One – Tag your data

In order to create attribute-based access controls, we must first tag our data with some attributes. Tags are key to providing business context to access controls. It is important to note that Galaxy requires elevated privileges to tag assets and manage available tags. These can be found in the “Account” section of a role.

Tags have a two-level hierarchy that we’ll explore later. For now, create a tag that can be applied to data assets (catalogs, schemas, tables, and columns) by navigating to the tags section under access control.

Creating a tag is simple. You’ll notice you can nest tags under others to create the two-level hierarchy you see in the screenshot above.

The next step is to tag your data. Tags can be applied at every level in the data hierarchy – catalogs, schemas, tables, and columns.

Important: Tags “inherit” down this hierarchy. This means that if you tag a catalog, all of its schemas, tables, and columns will get that tag. However, tagging a column will apply that tag to just that column since it’s the lowest level of the hierarchy.

Navigate to the catalogs section of Galaxy and choose the asset you want to tag. You can add tags directly on the object or in-line in its parent object. The example below is a catalog tagged with “marketing” and a schema tagged with “sales”. Note the inheritance from the catalog to the schema.

Step Two – Create policies

Now that we’ve tagged our data, we can create policies. Access is managed via roles, so navigate to the roles and privileges tab, chose the role you want to create the policy for, and click the policies tab to add a new policy. 

Let’s break down each section you see in the create policy screen.

  • Policy name and description: Describe the policy
  • Scope: Limit where this policy will be applied. In this example, it will apply the policy to the entire demo_customer catalog and the entire demo schema in the google_cloud_storage catalog
  • Matching expression: Apply the policy when the expression evaluates to true. This is where tags come into play. The expression field currently supports a single function has_tag(tag) and logical operators AND, OR, NOT, and(). For this example, the policy will apply to anything tagged with marketing but not anything tagged with pii or pii.*
  • Privileges: these are the privileges that will be applied – note you can ALLOW or DENY privileges

*Note the wild card applied in the expression to match the hierarchy we built earlier.


Policies can also optionally have an expiration date to automatically remove access at a certain day and time.

Save the new policy to see the list of policies in effect for that role.

Finally, you can see the policy’s effect on specific assets on the Privileges tab.

And that’s it! You’re up and running with ABAC in Starburst Galaxy. Visit the docs to learn more or check out the free, hands-on ABAC tutorial in Starburst Academy. 

Try Starburst Galaxy today

The analytics platform for your data lake

Start free

Start for Free with Starburst Galaxy

Up to $500 in usage credits included

Please fill in all required fields and ensure you are using a valid email address.

Start Free with
Starburst Galaxy

Up to $500 in usage credits included

  • Query your data lake fast with Starburst's best-in-class MPP SQL query engine
  • Get up and running in less than 5 minutes
  • Easily deploy clusters in AWS, Azure and Google Cloud
For more deployment options:
Download Starburst Enterprise

Please fill in all required fields and ensure you are using a valid email address.