Governance Overview¶
Governance is central to the product identity of DataMuru. Even in the alpha, governance is modeled as a first-class part of the desired state.
Included in the current alpha¶
- Supported: RBAC intent compiles into permission bindings.
- Partial: catalog-level and schema-level Unity Catalog grants can be
applied in Databricks when the provider runs in
live-applywith a SQL warehouse. - Experimental: taxonomy and masking definitions compile into local governance resources.
- Roadmap: live column masks, row filters, and broad object-level policy enforcement.
Why this matters early¶
Starting governance in the bootstrap gives the framework three advantages:
- Governance concepts become part of the data model, not a post-hoc extension.
- Provider and plan logic can evolve with governance in mind.
- Documentation and schemas can establish the language of control early.
Current enforcement boundary¶
DataMuru compiles RBAC assignments into live catalog and schema grants when a
SQL warehouse is configured and the provider runs in live-apply. Taxonomy,
classification, and masking remain local governance resources in the OSS
alpha. See Current capabilities and limits.
Example governance intent¶
roles:
catalog_reader:
permissions:
- object_type: catalog
privileges: [USE_CATALOG]
schema_writer:
permissions:
- object_type: schema
privileges: [USE_SCHEMA, CREATE_TABLE]
assignments:
- role: catalog_reader
principals: [data-analysts]
scope:
catalog: analytics
- role: schema_writer
principals: [data-engineers]
scope:
catalog: analytics
schema: curated
The compiler turns these declarations into stable permission_binding
resources. In state-only mode they are planned locally. In supported
Databricks live-apply flows they become catalog or schema grants.