Access contract | ContractForge

Complete example

_metadata:
  contract_version: 1.0.0

target:
  catalog: main
  schema: crm_curated
  table: s_customers
access_policy:
  mode: validate_only
  on_drift: warn
  revoke_unmanaged: false
grants:
  - principal: account users
    privileges: [SELECT]
  - principal: data-platform
    privileges: [SELECT, MODIFY]
row_filters:
  - name: region_filter
    function: main.security.filter_region
    columns: [region]
    applies_to:
      principals: [regional-managers]
column_masks:
  - column: email
    function: main.security.mask_email
    using_columns: [email]
    applies_to:
      principals: [analysts]

from contractforge import governance_check, governance_preview, load_contract_bundle

bundle = load_contract_bundle("contracts/silver/s_customers")
preview = governance_preview(bundle)
check = governance_check(bundle)

# Access changes are normally applied with:
# contractforge apply-access contracts/silver/s_customers

Fields

Field	Type	Default	Use
`_metadata`	object	{}	File metadata for audit and bundle checks.
`target`	object	optional	Optional compatibility check against the ingestion target.
`access_policy.mode`	`apply` \| `validate_only` \| `ignore`	`apply`	Whether access should be applied, only validated or ignored.
`access_policy.on_drift`	`fail` \| `warn` \| `reconcile`	`warn`	Behavior when actual grants differ from declared grants.
`access_policy.revoke_unmanaged`	boolean	false	Whether unmanaged grants may be revoked during reconciliation.
`mode`, `on_drift`, `revoke_unmanaged`	same as policy	same	Top-level aliases for compact contracts.
`grants`	list[object]	[]	Declared grants.
`grants[].principal`	string	required	Catalog principal, user or group.
`grants[].privileges`	string \| list[string]	required	Privileges such as `SELECT`, `MODIFY`, `MANAGE`, `READ FILES`, `WRITE FILES`, `EXECUTE` or `ALL PRIVILEGES`.
`row_filters`	list[object]	[]	Unity Catalog row filters.
`row_filters[].name`	string	required	Logical rule name.
`row_filters[].function`	qualified string	required	Fully qualified filter function, for example `catalog.schema.function`.
`row_filters[].columns`	string \| list[string]	required	Columns passed to the filter function.
`row_filters[].applies_to.principals`	string \| list[string]	[]	Principals associated with the rule for documentation/drift context.
`column_masks`	list[object] \| object	[]	Unity Catalog column masks. Object form is keyed by column name.
`column_masks[].column`	string	required in list form	Masked column.
`column_masks[].function`	qualified string	required	Fully qualified mask function.
`column_masks[].using_columns`	string \| list[string]	[]	Columns passed to the mask function.
`column_masks[].applies_to.principals`	string \| list[string]	[]	Principals associated with the rule for documentation/drift context.

Apply workflow

Normal ingestion should not require access-management privileges. Use a dedicated workflow for access checks and application.

contractforge validate-access contracts/silver/s_customers
contractforge governance-check contracts/silver/s_customers
contractforge apply-access contracts/silver/s_customers