Attribute-Based Access Controls: Right data, right users

Today, most business operations live in the cloud. But traditional methods of granting fine-grained access — one role, one ticket, one table at a time — breaks down at cloud scale. Permissions pile up faster than anyone can audit them, and every forgotten grant widens the damage a future breach can do. This becomes particularly problematic with Agentic Access where excessive access rights create significant data security risks.

Attribute-based access control flips this model. Instead of assigning permissions manually, access is granted automatically based on the attributes of your identities — both human and agent — such as domain, intent, department, or job function, and the attributes of your data, such as its sensitivity or category.

That shift makes least privilege the natural result, instead of an ongoing chore. Under the old model, granting limited access meant perpetually chasing down and revoking grants that had outlived their purpose. Attribute-based controls handle it from the start: people and AI Agents get exactly the right access automatically, and lose it the moment their attributes change or their task is completed.

What's new: Attribute-Based Access Controls (ABAC) in Collibra Data Access

Collibra Data Access now lets you govern who can see what using the attributes of your users and your data—not brittle, hand-maintained roles. Instead of granting one person access to one table at a time, now you can write a single dynamic rule: "any user tagged Department: Sales and OfficeLocation: EU can read any table tagged CATEGORY: customer." As identities, classifications and tags change, access recalculates on its own.

The same attribute model powers data protection: a column-masking policy can automatically mask every column tagged SENSITIVITY: PII or SENSITIVITY: PCI, and only reveal it to the identities your policy authorizes. Built on our semantic-enriched knowledge graph, ABAC lets you define access once and enforce it natively in your data platform, including Snowflake, Databricks and BigQuery. The result: RBAC's formerly manual upkeep automatically maintains itself.

In the same way you govern access for human identities, you can use ABAC to grant just-in-time and just-enough access on a per request basis to AI Agents that perform tasks based on attributes such as their domain, owner and intent.

The challenge: Access management at scale

As data estates grow across Snowflake, Databricks and BigQuery, access management turns into a permanent backlog: every new hire, every new developed agent, project, table and regulation means another ticket, another role, another manually granted grant. Roles multiply, drift out of date and quietly accumulate into over-permissioned access that nobody has time to review — exactly the conditions behind most breaches and failed audits.

Attribute-based access controls break the cycle by linking access to meaning. In other words, once the attributes of the identities — human and/or agent — (department, location, job title) and the attributes of the data (category, sensitivity) are assigned, the policy is written once, and, moving forward, Collibra maintains accuracy.

The challenges this solves:

• Manual, ticket-driven provisioning: Replaces one-off grants and growing role libraries with dynamic rules that evaluate user and data attributes automatically — access is calculated, not hand-assigned.
• Role explosion and access creep: Eliminates the sprawl of near-duplicate roles by expressing intent as attributes, so permissions stay current and over-entitlement is designed out rather than cleaned up.
• Audit and compliance blind spots: Ties every grant and mask to governed attributes and classifications with a clear, reviewable record of who can access what and why — making least-privilege provable.

How attribute-backed access controls work

ABAC rests on three things: governed attributes, dynamic rules, and native enforcement. Attributes sit on both sides of the access decision.

Attributes describe both sides of every access decision — the people and agents requesting data (domain, intent, department, location, role) and the data itself (category, sensitivity) — drawn from Collibra's catalog and classification.

Instead of assigning permissions by hand, now you’ll be able to write dynamic rules that match on those attributes, combined with simple logic to capture real business policy. And before saving, you can preview the exact identity rule resolution, so the scope is clear up front.

Rules power two complementary capabilities: roles that dynamically grant access to the data in scope, and column-masking policies that dynamically protect sensitive fields and reveal them only to authorized identities. For AI Agents, ABAC can also be used for on-request access, where access is limited in time and scope depending on the domain, owner or intent of the Agent.

Finally, Collibra enforces these decisions natively in platforms—including Snowflake, Databricks and BigQuery—rather than acting as a proxy, pushing grants and masks down to the source and keeping policy and enforcement in sync. Anchored to the semantic graph and connected to your identity providers, you define access once and enforce it consistently across platforms.

Why you should be excited

By moving to attribute-based access, compliance, engineering, and AI leadership teams can finally replace manual bottlenecks with automated, policy-driven governance.

• Compliance and risk teams: Prove least privilege and protect regulated data by default — sensitive columns are masked on classification, and every grant maps to governed attributes for GDPR, HIPAA and PCI DSS.
• Data platform leads and engineers: Stop drowning in access tickets and one-off masking scripts. Push consistent enforcement into Snowflake (and beyond) from one place.
• CDO / CDIAO and AI teams: Scale self-service and AI safely; the same policies govern human and machine/AI identities, so workloads stay compliant by design.

Use cases

• Region- and role-aware access to customer data: One role grants Read on all Snowflake tables tagged CATEGORY: customer to users tagged Department:Sales and OfficeLocation:EU. New EU hires gain access automatically; movers and leavers fall out of scope without a ticket.
• Mask-by-default for PII and PCI: A single policy masks every column tagged SENSITIVITY:PII or PCI, returning NULL to anyone outside the authorized set — so newly classified columns are protected automatically.

Key takeaways

With attribute-based access controls, Collibra Data Access lets you set policy once and hold it everywhere. You describe the access parameters in plain business language, and intent is enforced automatically across every system your data touches. You’re no longer rewriting rules for each platform. Because Collibra already knows your data, catalog and classification feeds directly into policies that adjust on the fly based on user and data attributes, with built-in, instead of bolted-on, enforcement. As a result, the long-standing gap between understanding and controlling access to your data disappears, and least privilege stops being something you chase after the fact. Now, it’s how the system behaves by default. And it’s the same way for every data source — and every professional and agent across your entire organization.

Where to learn more about attribute-based access controls

• Collibra Data Access product page
• Introducing Collibra Data Access
• Sign up for the preview

• 

  Bart Vandekerckhove

  Bart Vandekerckhove

  Principal Product Manager

  Collibra

• 

  Meredith Bailey

  Meredith Bailey

  Senior Product Marketing Manager

  Collibra

• 

  Dieter Wachters

  Dieter Wachters

  Senior Director, Software Engineering

  Collibra