Data Access Control (DAC)
Data Access Control (DAC) is one of three technology tools used to ensure Enterprise Data Warehouse (EDW) data security. See About Data Security for an overview of the full security mechanism and for descriptions of the concepts discussed below.
The DAC is an SQL server database. There is one copy of this database on every EDW server that stores data available for querying and reporting. The DAC schema contains data permission information for every table, column and row available for querying on those servers. It also contains information on Security Access and Roles Matrix roles and their privileges to tables and columns of data. Lastly, the DAC maintains lists of campus users belonging to those roles.
How the DAC Works
Information about role membership is acquired by the DAC from ASTRA, an UW authorization system that stores information about who can use a wide variety of administrative applications and tools across the UW. The DAC acquires information about data security rules as they apply to Matrix roles from the Security Metadata Administration Tool (SMAT).
DAC information on users and data rules is refreshed nightly, every business day.
- The DAC consumes information from ASTRA about users and their roles, as well as span of control (row level access) information.
- The DAC consumes information from the SMAT about the data to which each role is allowed access.
- The DAC applies the information gained in step 1) to EDW tables and columns, and in doing so
creates EDW Secured views also known as SEC views.
- Campus users query and report on EDW data using the SEC views. In this way, each user is allowed to see only the tables, columns, or rows to which they have been granted access by the Data Management Committee.
Figure 1. A pictorial representation of how the DAC manages EDW data security (full size image)
To see which users are in what roles, and to gain a deeper understanding of how the Security Access and Roles Matrix rules are applied to data, look at these two reports on the central report server: