Data governance overview

Data Governance is a set of capabilities that enable customers to finely control access to sensitive data. Skyflow vaults give you powerful governance capabilities out of the box by enforcing granular policies on every data access request in real time with minimum latency.

Skyflow's Policy Based Access Control (PBAC) model inherits the best of two well-proven access control models: Role Based Access Control (RBAC) and Attribute Based Access Control (ABAC).

Policy Based Access Control

The National Institute of Standards and Technology (NIST) defines Policy Based Access Control (PBAC) as "a strategy for managing user access to one or more systems, where the business roles of users are combined with policies to determine what access privileges users of each role should have."

Policies are reusable sets of access rules written in an English-like policy expression language that can be attached to one or more roles or members. Skyflow vaults enable you to enforce dynamic, granular, real-time, condition-based policies to govern access to your vault.

Here is a simplified representation of Skyflow’s PBAC model:


The benefit of this model is that you get manageability of roles while preserving the granularity and dynamism of the ABAC model.

Skyflow has a policy code editor interface where you can author policies with dynamic, real-time feedback on the syntax. This interface uses policy code snippets that prefill many of the required syntax elements.

Vault Owners can author policies in Skyflow Studio or via an API call. They can then attach these policies to roles and assign the roles to users and service accounts that require access to the vault.


A robust data governance solution can unlock opportunities for you to leverage your data in a privacy preserving way. Some of these opportunities are covered below.

Secure multi-party data sharing

Skyflow enables you to securely share your company's sensitive data with internal and external stakeholders by employing data loss prevention techniques such as tokenization, redaction, masking, and encrypted computing. You can give each stakeholder access to a different subset of the data depending on their needs while maintaining a single copy of the data. This is extremely important, as data duplication greatly increases the chances of a data breach.

Example use case: A bank can allow a customer to see their credit card number in plain text while allowing a support agent to see only the last four digits for identity verification purposes.

There are situations where you may need to control access to consumer data based on their consent. This level of control is paramount to building customer trust and is required by leading privacy frameworks like GDPR.

Skyflow supports row-level policies to check for consumer consent before access to a data element is granted on a continuous basis.

You can use row-level policies, a unique feature of Skyflow's governance capabilities, to check for consumer consent before access to a data element is granted on a continuous basis.

Example use case: A healthcare provider can ask for patient consent before their anonymized data is shared with labs for research.

Data minimization

Enforcing principles of least privilege is an effective way to reduce your attack surface area when governing access to sensitive data. User accounts and apps should only have access to the specific fields that they need to perform a legitimate business function. Skyflow enforces very granular and condition-based access policies using column-level and row-level access control, support for SQL WHERE clauses, and Common Expression Language.

Example use case: A physician can view and edit medication information of only those patients she treats and not the entire patient database.

Next steps

Set up data governance or check out one of the articles below:

    Policy enforcement decision logicPolicy expression language reference

In this article