Skip to main content
This feature is currently supported for Databricks, Snowflake, Redshift, and BigQuery.
OAuth support empowers users to run data diffs based on their individual permissions and roles configured within the data warehouses. This ensures that data access is governed by existing security policies and protocols.

Overview

The diagram below illustrates how the authentication flow proceeds:
  1. Users authenticate using the configured OAuth provider.
  2. Users can then create diffs between data sets that their user can access using OAuth database permissions.
  3. During Continuous Integration (CI), Datafold executes diffs using a Service Account with the least privileges, thus masking sensitive/PII data.
  4. If a user needs to see sensitive/PII data from a CI diff, and they have permission via OAuth to do so, they can rerun the diff, and then Datafold will authenticate the user using OAuth database permissions. Then, the user will have access to the data based on these permissions.
This structure ensures that diffs are executed with the user’s database credentials with their configured roles and permissions. Data access permissions are thus fully managed by the database, and Datafold only passes through queries.