Le Duy Khuong (Daniel)

Dev Productivity & Tools

Lakehouse BRD — Chapter 8: Security & Data Privacy (RBAC, Masking)

Security & Privacy: protect all layers, RBAC, PII masking, audit, encryption, compliance with personal data protection regulations.

2026-03-171 min read

8.1 Objectives

  • Protect data at every layer (ingest, storage, query, consumption)
  • Least privilege
  • PII: label, control, mask or encrypt
  • Monitoring, logging, rollback
  • Compliance with personal data protection regulations (e.g. GDPR, PDPA)

8.2 Security layers

LayerGoalOSS tools
Access ControlRole- and domain-basedTrino RBAC, OPA, Superset RBAC
Data MaskingHide/encrypt PIIView masking, Trino SQL masking
Audit & LoggingAccess and action logsMinIO, Superset, Prometheus
EncryptionAt-rest and in-transitMinIO SSE, TLS/SSL
Consent & RetentionData subject rightsMetadata + consent API

8.3 RBAC

admin (full); data_engineer (read/write raw, staging, curated); data_analyst (read curated, analytics); store_manager (read by store_id); data_steward (metadata, logs); external_partner (masked read via API). Configure in Trino, Superset, DataHub.

8.4 Data masking and PII

Static masking (view → XXXX5678); role-based masking (email null if insufficient permission); hashing (ML, stats); encryption at rest. PII columns must be labeled: full_name, phone, email, identity_number, address, location_geo.

8.5 Compliance (e.g. GDPR, PDPA)

Identify personal data types (tag pii, sensitive in metadata); collection and processing policy (log source, purpose); retention policy per table; data subject rights (access, correct, delete via API); audit and reporting.

LDK

Le Duy Khuong

AI Transformation & Digital Strategy. Writing about agentic systems, engineering leadership, and building in public.