Dev Productivity & Tools
Lakehouse BRD — Chapter 8: Security & Data Privacy (RBAC, Masking)
Security & Privacy: protect all layers, RBAC, PII masking, audit, encryption, compliance with personal data protection regulations.
2026-03-171 min read
8.1 Objectives
- Protect data at every layer (ingest, storage, query, consumption)
- Least privilege
- PII: label, control, mask or encrypt
- Monitoring, logging, rollback
- Compliance with personal data protection regulations (e.g. GDPR, PDPA)
8.2 Security layers
| Layer | Goal | OSS tools |
|---|---|---|
| Access Control | Role- and domain-based | Trino RBAC, OPA, Superset RBAC |
| Data Masking | Hide/encrypt PII | View masking, Trino SQL masking |
| Audit & Logging | Access and action logs | MinIO, Superset, Prometheus |
| Encryption | At-rest and in-transit | MinIO SSE, TLS/SSL |
| Consent & Retention | Data subject rights | Metadata + consent API |
8.3 RBAC
admin (full); data_engineer (read/write raw, staging, curated); data_analyst (read curated, analytics); store_manager (read by store_id); data_steward (metadata, logs); external_partner (masked read via API). Configure in Trino, Superset, DataHub.
8.4 Data masking and PII
Static masking (view → XXXX5678); role-based masking (email null if insufficient permission); hashing (ML, stats); encryption at rest. PII columns must be labeled: full_name, phone, email, identity_number, address, location_geo.
8.5 Compliance (e.g. GDPR, PDPA)
Identify personal data types (tag pii, sensitive in metadata); collection and processing policy (log source, purpose); retention policy per table; data subject rights (access, correct, delete via API); audit and reporting.
