Security and Access Control

📄️ Data Authorization

Data Authorization is the platform's first layer of defense for who can read and write what data. It runs inside the Spark engine: every SQL statement, DataFrame operation, and DDL or DML command is intercepted and checked against your access before any data is touched. If you're allowed to access the resource, the query runs normally. If you're not, the query is blocked immediately with a clear message identifying what was denied.

📄️ Session Policy

AWS only

📄️ How They Work Together

Data Authorization and Session Policy are complementary, not alternatives. They address different threat vectors at different layers of the stack and are designed to be deployed together. In production, both should be on. This chapter is the side-by-side recap so you can see, at a glance, which layer is doing what.