Fine-grained access control grants on zones, schemas, and tables.
## Overview The Object Permissions page provides a centralized interface for managing fine-grained access control lists (ACLs) on catalog objects including zones, schemas, and tables. Security administrators use this page to grant and revoke privileges, configure column-level masking, and audit the effective permissions inherited by each role. Permissions follow a hierarchical model where grants on a zone cascade to its schemas and tables unless overridden. The permission matrix view makes it straightforward to verify that each role holds exactly the intended privileges across the entire catalog. ## Key Features - **Grant and revoke permissions on catalog objects.** Assign SELECT, INSERT, UPDATE, DELETE, and administrative privileges to roles at the zone, schema, or table level. Revoke individual grants without affecting other permissions held by the same role. - **Permission matrix view by role.** Display a cross-tabulation of roles against catalog objects showing the effective privilege set for each combination. Color-coded cells distinguish direct grants from inherited grants. - **Column-level masking configuration.** Attach masking policies to specific columns so that restricted roles see redacted or transformed values while privileged roles see the original data. - **Effective permission preview.** Select a role and a catalog object to preview the resolved set of permissions, accounting for role hierarchy, group membership, and inheritance from parent objects. - **Audit log.** Review a chronological record of all permission changes including the actor, timestamp, object, and operation. Filter by date range, role, or object to investigate specific events. ## Workflow 1. Navigate to the Object Permissions page from the Catalog sidebar. 2. Select the target catalog object (zone, schema, or table) from the hierarchy tree. 3. View existing grants in the permission matrix and identify gaps or over-privileges. 4. Grant or revoke permissions for the desired roles using the inline controls. 5. Configure column-level masking policies on sensitive columns if required. 6. Use the effective permission preview to verify the resulting access for a specific role. 7. Review the audit log to confirm that all changes are recorded correctly.