Raito logo
Product
Partners
Solutions
Resources
Book a demo
Product
Partners
Solutions
Resources
Book a demo
Cookies
Close Cookie Preference Manager
Cookie Settings
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. More info
Strictly Necessary (Always Active)
Cookies required to enable basic website functionality.
Accept All Cookies
Save Settings
Made by Flinch 77
Oops! Something went wrong while submitting the form.

Product Demo - Managing access as code for data products

Learn in this product demo recording how data engineers can use Raito to manage access as code and collaborate with data product owners.
Bart Vandekerckhove
Bart Vandekerckhove
December 17, 2024

Data engineering teams are increasingly managing data products as code in CI/CD for better version control, automated testing, and faster deployments. With Raito, engineers can define access controls for data products as code in git, while data product owners can use Raito’s UI to manage user access to data products. This lets you integrate data security in the data development processes, and achieve the necessary separation of duties.

Segregation of duties in access management with Access as Code

Let’s look at the different steps when creating a data product called Sales Analytics Data Product.

Data platform engineer provisions a new environment
When the data platform team provisions a new development environment for a data product they use Raito to provision 3 data product roles in the environment.

  • Analyst for read access to the data product.
  • Engineer for read and write access to the data product.
  • Owner for admin rights to the data product.

These data product roles don’t grant any access yet as they’re empty. It will be up to the data engineer to map those roles to the output ports of the data product, and the data product owner to give users access to the roles. For our Sales Analytics Data Product the role that will be used to give read access will be called ‘Sales Analytics Data Product - Analyst’.

The data platform engineer creates an empty data product role for the Sales Analytics Data Product.

Data engineers gives role access to the data product

Once the development environment is provisioned, the data engineer can develop the data product. As part of the data product definition, the data engineer declares the permissions (e.g. READ, WRITE) the data product roles get to the data product as code. This can be done using our dbt or Terraform-plugins, or by directly calling the Raito API’s. In the below example we see how the data engineer gave the ‘Sales Analytics Data Product - Analyst’ role read permissions to one of the tables of the data product, in dbt

When the engineer promotes the data product to production, Raito automatically promotes the access control to the production environment if it doesn’t exist there yet. If any users have been granted access to the Data Product Role, they will get the same access in production.

The data engineer gives the ‘Sales Analytics Data Product - Analyst’ role read permissions to one of the tables of the Sales Analytics data product, in dbt

Data Product Owner gives users access to the data product role

At any point the data product owner can grant users access to the Data Product Role in 3 ways:

  • Direct access to individual users.
  • Access to groups (for instance from Active Directory).
  • Dynamically grant access to users based on their attributes (for instance, their department, or geographic region).

When the data product has been finalised it can be promoted to production. The advantage of using access as code is that the permissions will be promoted to production together with the data product, such that access will be set by default.

Reach out to talk to an expert.

Talk to the team
Raito logo
Legal
Copyright © XXXX, Raito BV | All rights reserved