# Fine-grained access control to data
<a name="fine-grained-access-control"></a>

In the current release of Amazon SageMaker Unified Studio, fine-grained access control of your data is supported so you can have granular access control over your sensitive data. You can control which project can access specific records of data within your data assets published to the Amazon SageMaker Unified Studio business data catalog. Amazon SageMaker Unified Studio supports row and column filters to implement fine-grained access control.

Use **row filters** to restrict access to specific rows based on the criteria you define. For example, if your table contains data for two regions (America and Europe) and you want to ensure that employees in Europe can only access data relevant to their region, you can create a row filter that includes rows where the region is Europe (`region = 'Europe'`). This way, employees in Europe won't have access to America’s data.

Use **column filters** to limit access to specific columns within your data assets. For example, if your table includes sensitive information such as Personally Identifiable Information (PII), you can create a column filter to exclude PII columns. This ensures that subscribers can only access non-sensitive data.

To utilize fine-grained access control, you can create row and column filters for your AWS Glue and Amazon Redshift assets in Amazon SageMaker Unified Studio. When you receive a subscription request to access your data assets, you can approve it by applying the appropriate row and column filters. Amazon SageMaker Unified Studio ensures that the subscriber can only access the rows and columns permitted by the filters you applied at the time of subscription approval.

**Topics**
+ [Limitations](#fine-grained-data-limitations)
+ [Create row filters in Amazon SageMaker Unified Studio](create-row-filter.md)
+ [Create column filters in Amazon SageMaker Unified Studio](create-column-filter.md)
+ [Delete row or column filters in Amazon SageMaker Unified Studio](delete-row-column-filter.md)
+ [Edit row or column filters in Amazon SageMaker Unified Studio](edit-row-column-filter.md)
+ [Grant access with filters in Amazon SageMaker Unified Studio](grant-access-with-filters.md)

## Limitations
<a name="fine-grained-data-limitations"></a>

When configuring row or column level filters for fine-grained access control, filtering on columns whose name contains special characters impacts which compute types can access the data.
+ In cases where the column name contains special characters, adding an Asset Filter will automatically add double quotes “ ” around the column name to escape the special characters. 

  As a result, the asset is not accessible by data processing compute engines such as EMR-EC2, EMR-Serverless, or Glue-ETL. This asset is still accessible by other compute engines.

  To remove this limitation, either remove the filters on the column names containing special characters or rename the column to remove the special characters and recreate the filter.

# Create row filters in Amazon SageMaker Unified Studio
<a name="create-row-filter"></a>

Amazon SageMaker Unified Studio allows you to create row filters that you can use when approving subscriptions to make sure that the subscriber can only access rows of data as defined in the row filters. To create a row filter, follow the steps below: 

1. Navigate to Amazon SageMaker Unified Studio using the URL from your admin and log in using your SSO or AWS credentials. 

1. Choose **Select project** from the top navigation pane and select the project to which the asset belongs.

1. Under **Project catalog** in the left side navigation, choose **Assets**.

1. Make sure you are on the **Inventory** tab, then choose the name of the asset that you want to create a column filter for. You can add column filters if your data asset in Amazon SageMaker Unified Studio is of type AWS Glue table, Amazon Redshift table, or Amazon Redshift view. You are then brought to the asset details page.

1. On the asset detail page, go to the **Asset filters** tab and then choose **Add asset filter**.

1. Configure the following fields:
   + **Name** - the name of the filter
   + **Description** – the description of the filters

1. Under filter type, choose **Row filter**.

1. Under row filter expression, provide one or more expressions for row filter.
   + Choose a column from the **Column** dropdown.
   + Choose an operator from the **Operator** dropdown.
   + Enter a value in the **Value** field.

1. To add another condition to your filter expression, choose **Add condition**.

1. When using multiple conditions in the row filter expression, choose **And** or **Or** to link the conditions.

1. Select an option to indicate whether or not the filter contains sensitive values that you want to hide from approved subscribers.

1. Choose **Create asset filter**.

# Create column filters in Amazon SageMaker Unified Studio
<a name="create-column-filter"></a>

Amazon SageMaker Unified Studio enables you to create column filters that you can use when approving subscriptions to make sure that the subscriber can only access columns of data as defined in the column filters. To create a column filter, follow the steps below: 

1. Navigate to Amazon SageMaker Unified Studio using the URL from your admin and log in using your SSO or AWS credentials. 

1. Choose **Select project** from the top navigation pane and select the project to which the asset belongs.

1. Under **Project catalog** in the left side navigation, choose **Assets**.

1. Make sure you are on the **Inventory** tab, then choose the name of the asset that you want to create a column filter for. You can add column filters if your data asset in Amazon SageMaker Unified Studio is of type AWS Glue table, Amazon Redshift table, or Amazon Redshift view. You are then brought to the asset details page.

1. On the asset detail page, go to the **Asset filters** tab and then choose **Add asset filter**.

1. Configure the following fields:
   + **Name** – the name of the filter
   + **Description** – the description of the filters

1. Under filter type, choose **Column**.

1. Select the columns you want to include in the filters using the check boxes for the columns in the data asset. 

1. Choose **Create asset filter**.

# Delete row or column filters in Amazon SageMaker Unified Studio
<a name="delete-row-column-filter"></a>

To delete a row or a column filter, follow the steps below: 

1. Navigate to Amazon SageMaker Unified Studio using the URL from your admin and log in using your SSO or AWS credentials. 

1. Choose **Select project** from the top navigation pane and select the project to which the asset belongs.

1. Under **Project catalog** in the left side navigation, choose **Assets**.

1. Make sure you are on the **Inventory** tab, then choose the name of the asset where you want to delete a row or a column filter. 

1. On the asset details page, go to the **Asset filters** tab and then choose the name of the filter that you want to delete. 

1. Choose **Actions**, **Delete** and then confirm the deletion.

**Note**  
You can delete a filter only if it is not being used in active subscriptions.

# Edit row or column filters in Amazon SageMaker Unified Studio
<a name="edit-row-column-filter"></a>

To edit a row or a column filter, follow the steps below: 

1. Navigate to Amazon SageMaker Unified Studio using the URL from your admin and log in using your SSO or AWS credentials. 

1. Choose **Select project** from the top navigation pane and select the project to which the asset belongs.

1. Under **Project catalog** in the left side navigation, choose **Assets**.

1. Make sure you are on the **Inventory** tab, then choose the name of the asset that contains the filter that you want to edit.

1. On the asset detail page, go to **Asset filters** tab and then choose the name of the filter that you want to edit.

1. You can edit the following fields:
   + **Name** – the name of the filter
   + **Description** – the description of the filters

1. If you're editing a row filter, you can update the row filter expression.

1. If you're editing a column filter, you can add or remove the columns selected in the filter. 

1. After you have made the changes, choose **Edit asset filter**.

**Note**  
 If you edit a filter that is being used in active subscriptions, Amazon SageMaker Unified Studio will automatically update the permissions granted to the subscriber projects. This means that the subscribers will only be able to access the rows or columns as defined in the updated filter, ensuring that your data access policies are consistently enforced.

# Grant access with filters in Amazon SageMaker Unified Studio
<a name="grant-access-with-filters"></a>

Amazon SageMaker Unified Studio enables fine-grained access control by translating the defined row and column filters into appropriate grants for AWS Lake Formation and Amazon Redshift. Below is an explanation of how Amazon SageMaker Unified Studio materializes these filters for both AWS Glue tables and Amazon Redshift.

## AWS Glue tables
<a name="grant-access-with-filters-glue"></a>

When a subscription to an AWS Glue table with row and/or column filters is approved, Amazon SageMaker Unified Studio materializes the subscription by creating grants in AWS Lake Formation with Data Cell Filters, ensuring that the members of the subscriber project are only able to access the rows and columns they are allowed to access based on the filters applied to the subscription. 

Amazon SageMaker Unified Studio first translates the row and columns filters applied in Amazon SageMaker Unified Studio to AWS Lake Formation Data Cell Filters. If multiple row and columns filters are used, Amazon SageMaker Unified Studio unions all the columns and all the row filter conditions to compute effective permissions at both row and column level. Amazon SageMaker Unified Studio then creates a single AWS Lake Formation data cell filter using effective row and column permissions. 

After the data cell filter is created, Amazon SageMaker Unified Studio shares the subscribed table with the subscriber project by creating read-only (SELECT) permissions in AWS Lake Formation using this data cell filter. 

## Amazon Redshift
<a name="grant-access-with-filters-redshift"></a>

When a subscription to an Amazon Redshift table/view with row and/or column filters is approved, Amazon SageMaker Unified Studio materializes the subscription by creating scoped-down late binding views in Amazon Redshift, ensuring that the members of the subscriber project are only able to access the rows and columns they are allowed to access based on the row and column filters applied to the subscription. 

Amazon SageMaker Unified Studio first translates the row and columns filters applied to a subscription in Amazon SageMaker Unified Studio to an Amazon Redshift late binding view. If multiple row and columns filters are used, Amazon SageMaker Unified Studio unions all the columns and all the row filter conditions from to compute effective permissions at both row and column level. Amazon SageMaker Unified Studio then creates the late binding view using effective row and column permissions. 

After the late binding view is created, Amazon SageMaker Unified Studio shares this view with the members of subscriber project by creating read-only (SELECT) permissions in Amazon Redshift.