Loading
About Salesforce Data 360
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Policy Types in Data 360

            You are here:

            1. Salesforce Help
            2. Docs
            3. Data 360

            Policy Types in Data 360

            Data 360 offers two policy categories in data governance: role-based access control (RBAC) and attribute-based access control (ABAC).

            Role-based Access Control

            Role-based access control (RBAC) allows you to manage data access by assigning permissions to users based on their roles.

            Use RBAC to grant access to specific data objects, such as data lake objects (DLOs), data model objects (DMOs), and calculated insight objects (CIOs), within a data space through permission sets. RBAC is assigned to individual objects.

            Attribute-based Access Control

            Attribute-based access control (ABAC) is a data access control model that grants or denies access to data based on a combination of attributes. These attributes can belong to the user, the data, or the environment.

            • User attributes: custom permissions
            • Data attributes: tags, sensitivity level, owner, classification

            In ABAC, policies use logical conditions that evaluate attributes at runtime. To maintain performance, ABAC policy authoring includes built-in limits based on resource usage. Each policy’s usage depends on the number of rules and the complexity of its conditions. More complex policies use more resources during data access. Data 360 checks this usage against a maximum condition element threshold when you create, update, or delete a policy. Most users won’t reach this limit, but it helps prevent complex policies from affecting performance.

            Tags and Classifications

            In ABAC, you can add tags and classifications as decision-making attributes to determine if access is allowed. For example, if an object or a field is tagged as "Confidential" or classified as "PII" (Personally Identifiable Information), you can write access policies that reference these tags. Here’s a sample policy.

            “Grant access to users in the Compliance team if the data is classified as Confidential.” Or, “Deny access to any data tagged as PII for users outside the Support team.”

            Using tags and classifications this way enables dynamic, context-aware controls that adapt to both the sensitivity of the data and the attributes of the user. It simplifies policy management and ensures consistent enforcement across your data ecosystem.

             
            Loading
            Salesforce Help | Article