Access That Understands Your Data
With DSAC, access decisions aren't just about who's asking—but what they're trying to access. Enforce security at the column level using metadata from OpenMetadata—centrally governed via OpenMetadata or managed manually, centrally governed.
How Keymate Enforces DSAC with Metadata Integration
In Keymate, access to sensitive data is enforced via DSAC policies written against metadata—such as column-level sensitivity tags. Metadata is either automatically sourced from OpenMetadata (via event-based sync), or manually defined in the Keymate Admin Console. This metadata is then used to build DSL-based DSAC policies that determine whether users can access specific fields.
DSAC Metadata Flow and Policy Enforcement
In Keymate, access to sensitive data is enforced via DSAC policies written against metadata—such as column-level sensitivity tags. Metadata is either:
- Automatically sourced from OpenMetadata (via event-based sync), or
- Manually defined in the Keymate Admin Console.
This metadata is then used to build DSL-based DSAC policies that determine whether users can access specific fields.
Example: Visual showing OpenMetadata (Field: customer.ssn, Tags: PII.TCKN, RESTRICTED) syncing via Kafka to Keymate, where a DSL policy (deny if resource.tags includes "PII.TCKN" && user.role != "auditor") is applied for API calls.
Key Components:
Metadata-Driven Capabilities for DSAC
DSAC policies go beyond roles and attributes—they understand the data itself.
Column-Level Authorization
Enforce policies down to the database column or field level, based on sensitivity tags.
PII Tag Integration
Use metadata tags like PII.TCKN, CONFIDENTIAL to trigger access restrictions.
OpenMetadata Integration
Sync data classes and glossary terms directly into the policy engine. Tagging is done upstream. Keymate consumes the classification and lets you define policies accordingly.
Dynamic Context Injection
Token attributes enriched with data context from metadata pipelines.
Security Grade Enforcement
Restrict access based on data classification (Public, Confidential, Restricted).
Audit-Aware Control
Access logs include data-level context for full traceability and compliance audits.
Frequently Asked Questions
Understanding Keymate's Data Security Attribute Control (DSAC).
How to Implement DSAC
Use the Keymate Admin Console to define metadata-based DSAC policies. Integrate with OpenMetadata for auto-classification. See our docs for setup examples and API support.
Steps to Configure and Enforce DSAC Policies
Define Metadata Sources
Connect to OpenMetadata or define sensitivity tags and classifications manually in Keymate.
Write DSAC Policies using DSL
Craft policies that reference data tags (e.g., resource.tags includes 'PII.SSN') and user attributes.
Associate Policies with Resources
Apply DSAC policies to specific database tables, columns, API fields, or application views.
Simulate and Test Policies
Use Keymate's simulation tools to verify DSAC logic against different user profiles and data contexts.
Enforce via SDK or Gateway
Integrate with Keymate's SDKs in your applications or use the API Gateway plugin for real-time DSAC enforcement.
Explore DSAC in Depth
Learn more about DSAC capabilities and how to implement them in our documentation.