Policy Behavior When Consuming Data Streams and Data Objects
When you view or work with data objects in Data 360, access policies determine what
you can see and use.
object type
what users can do
Data Stream
Users can view a data stream only if they have access to the underlying data
lake object (DLO).
Users can see the data stream mapping if they have access to the data space.
However, the mapped field counts only show fields relevant to the user, excluding
any fields on data model objects (DMOs) they can't access.
DLO
Users can use only those DLOs that are permitted by their policies.
DMO
Users can use DMOs that are permitted by their access policies.
Users can use DMO relationships that are permitted by their access
policies.
CIO
Users can view a CIO only if they have access to the CIO object.
You can apply field-level security (FLS) policies to a CIO to restrict which
fields are visible to each user.
Key Enforcement Callouts When Consuming Data Objects
Here are some key
callouts on how governed data behaves in Data 360, including its unique policy rules and
exceptions.
object type
what users can do
DLO
Users with View All and Modify All on the DLO can view all metadata. Data
space assignment and policy control query access.
Users can view masked fields in object-level pages such as Data Explorer,
Profile Explorer, and Query Editor, depending on their access.
CIO
CIOs don’t have their own dedicated tab, so enforcement in the UI relies on
the CI process definition along with the CIO.
When an FLS policy restricts access to a dimension and you query an
aggregatable metric, the metric value automatically excludes the restricted
dimension and rolls up to the defined dimension level.
When an FLS policy restricts access to a dimension, any non-aggregatable
metric is automatically restricted, even if no tags or explicit policies are
defined.
When you add a CIO to a semantic data model and apply an FLS policy that
restricts access to a dimension, users are also restricted from viewing any
metric that uses the same aggregation function.
When you apply a masking policy, metric results in semantic data model queries
can vary based on the rounding behavior defined in the policy.
DMO
Users with View All and Modify All permissions on the DMO can access DMO
metadata, but the policy determines if query is permitted.
Masked fields can still be viewed in object-level pages such as Data Explorer,
Profile Explorer, and Query Editor, depending on user access. For users where
masking applies, these fields appear as masked.
Search Index
When you create a search index, the system automatically generates derived
objects such as chunk and vector DMOs, to store the searchable data. These derived
objects inherit the security policies, including object-level, field-level, and
record-level security, applied to the source DMO. This ensures that search results
and retrieval augmented generation (RAG)-driven insights consistently respect the
governance rules of the original data.
Data Graph
Policies are enforced at a granular level when users access data through a
data graph. Users can view only the portions of the data graph that they have
permission to access, and restricted data model objects (DMOs) and fields are
excluded from the results.
Tags on a data graph are inherited from source DMOs and aren’t directly
assigned. Propagated tags aren’t currently displayed in the data graph UI.
Did this article solve your issue?
Let us know so we can improve!
Loading
Salesforce Help | Article
Cookie Consent Manager
General Information
Required Cookies
Functional Cookies
Advertising Cookies
General Information
We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required Cookies
Always Active
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional Cookies
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising Cookies
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.
