Row / Column Security
The practice of restricting access to specific rows or columns within lakehouse tables based on user identity, role, or policy, enforced at query time by the compute engine or catalog layer.
Summary
The practice of restricting access to specific rows or columns within lakehouse tables based on user identity, role, or policy, enforced at query time by the compute engine or catalog layer.
Row/column security is the fine-grained access control layer for multi-tenant or regulated lakehouses on S3. Since S3 itself has only bucket and prefix-level IAM policies, row/column security must be enforced by the query engine (Trino, Spark, Dremio) or catalog (Polaris, Ranger) rather than by the storage layer.
- S3 cannot enforce row or column-level access. Security policies must be enforced at the query engine or catalog layer, and any tool with direct S3 access can bypass them.
- Row-level security applied at query time adds runtime overhead. Filter predicates must be injected into every query plan, and complex policies can degrade performance.
- Column masking and row filtering are not always composable. Interactions between row filters and column masks can produce unexpected results if not carefully tested.
scoped_toLakehouse, S3 — access control for S3-stored table datadepends_onApache Ranger — policy engine for row/column securityenablesTenant Isolation — row-level filtering is a key tenant isolation mechanismenablesCompliance-Aware Architectures — regulatory requirement for data access control
Definition
An access control pattern that restricts visibility of specific rows or columns in lakehouse tables based on user identity, role, or policy — enforced at query time without duplicating data on S3.
S3 stores data as files with bucket/key-level access control. Fine-grained security (hiding salary columns from non-HR users, filtering rows by region) cannot be achieved at the storage layer alone. Row/column security adds a logical access control layer above the physical files.
Multi-tenant data access on shared lakehouse tables, GDPR-compliant column masking, role-based row filtering for analytics.
Connections 8
Outbound 5
Inbound 3
depends_on2solves1Resources 3
Databricks row and column filter documentation for applying fine-grained access control to lakehouse tables on S3.
Apache Ranger provides centralized row-level and column-level security policies for data lake platforms including Hive, Spark, and Trino.
Trino's access control documentation covering column masking and row filtering for S3-backed catalogs.