Access contract.
Access contracts describe catalog security. Keep them separate from normal ingestion because grants, row filters and column masks often require a different approval path and stronger privileges.
Complete example
- YAML
- Python
_metadata:
contract_version: 1.0.0
access_policy:
mode: validate_only
on_drift: warn
revoke_unmanaged: false
grants:
- principal: account users
privileges: [SELECT]
- principal: data-platform
privileges: [SELECT, MODIFY]
row_filters:
- name: region_filter
function: main.security.filter_region
columns: [region]
applies_to:
principals: [regional-managers]
column_masks:
- column: email
function: main.security.mask_email
using_columns: [email]
applies_to:
principals: [analysts]
from contractforge import governance_check, governance_preview, load_contract_bundle
bundle = load_contract_bundle("contracts/silver/s_customers")
preview = governance_preview(bundle)
check = governance_check(bundle)
# Access changes are normally applied with:
# contractforge apply-access contracts/silver/s_customers
In bundle mode, the matching *.ingestion.yaml owns the target table. Keep target out of the access file unless you intentionally want an explicit compatibility assertion.
Fields
| Field | Type | Default | Use |
|---|---|---|---|
_metadata | object | File metadata for audit and bundle checks. | |
target | object | optional | Optional compatibility check against the ingestion target. |
access_policy.mode | apply | validate_only | ignore | apply | Whether access should be applied, only validated or ignored. |
access_policy.on_drift | fail | warn | reconcile | warn | Behavior when actual grants differ from declared grants. |
access_policy.revoke_unmanaged | boolean | false | Whether unmanaged grants may be revoked during reconciliation. |
mode, on_drift, revoke_unmanaged | same as policy | same | Top-level aliases for compact contracts. |
grants | list[object] | [] | Declared grants. |
grants[].principal | string | required | Catalog principal, user or group. |
grants[].privileges | string | list[string] | required | Privileges such as SELECT, MODIFY, MANAGE, READ FILES, WRITE FILES, EXECUTE or ALL PRIVILEGES. |
row_filters | list[object] | [] | Unity Catalog row filters. |
row_filters[].name | string | required | Logical rule name. |
row_filters[].function | qualified string | required | Fully qualified filter function, for example catalog.schema.function. |
row_filters[].columns | string | list[string] | required | Columns passed to the filter function. |
row_filters[].applies_to.principals | string | list[string] | [] | Principals associated with the rule for documentation/drift context. |
column_masks | list[object] | object | [] | Unity Catalog column masks. Object form is keyed by column name. |
column_masks[].column | string | required in list form | Masked column. |
column_masks[].function | qualified string | required | Fully qualified mask function. |
column_masks[].using_columns | string | list[string] | [] | Columns passed to the mask function. |
column_masks[].applies_to.principals | string | list[string] | [] | Principals associated with the rule for documentation/drift context. |
Apply workflow
Normal ingestion should not require access-management privileges. Use a dedicated workflow for access checks and application.
contractforge validate-access contracts/silver/s_customers
contractforge governance-check contracts/silver/s_customers
contractforge apply-access contracts/silver/s_customers