access-management

RBAC/ABAC implementation patterns, least privilege access, row-level security, column masking, and access review workflows.

16 stars

bydiegosouzapw

View on GitHub Installation ↓

Best use case

access-management is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

RBAC/ABAC implementation patterns, least privilege access, row-level security, column masking, and access review workflows.

Teams using access-management should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/access-management/SKILL.md --create-dirs "https://raw.githubusercontent.com/diegosouzapw/awesome-omni-skill/main/skills/development/access-management/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/access-management/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How access-management Compares

Feature / Agent	access-management	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

RBAC/ABAC implementation patterns, least privilege access, row-level security, column masking, and access review workflows.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Access Management Skill

## Overview

Comprehensive access management patterns for Unity Catalog including RBAC, ABAC, row-level security, column masking, and automated access reviews.

## RBAC (Role-Based Access Control)

### Standard Role Framework
```python
STANDARD_ROLES = {
    "data_consumer": {
        "privileges": ["USE CATALOG", "USE SCHEMA", "SELECT"],
        "scope": "gold layer",
        "description": "Read-only access to curated data"
    },
    "data_producer": {
        "privileges": ["USE CATALOG", "USE SCHEMA", "SELECT", "MODIFY", "CREATE TABLE"],
        "scope": "bronze, silver layers",
        "description": "Transform and load data"
    },
    "data_steward": {
        "privileges": ["USE CATALOG", "USE SCHEMA", "SELECT", "MODIFY", "ALTER", "GRANT"],
        "scope": "all layers",
        "description": "Manage schema and metadata"
    },
    "platform_admin": {
        "privileges": ["ALL PRIVILEGES"],
        "scope": "all catalogs",
        "description": "Full administrative access (minimal assignments)"
    }
}
```

### Role Assignment
```python
def assign_role(principal: str, role: str, catalog: str):
    """Assign standard role to user or group."""
    role_def = STANDARD_ROLES[role]

    for privilege in role_def["privileges"]:
        if role_def["scope"] == "all catalogs":
            grant_sql = f"GRANT {privilege} ON CATALOG {catalog} TO `{principal}`"
        elif role_def["scope"] == "gold layer":
            grant_sql = f"GRANT {privilege} ON SCHEMA {catalog}.gold TO `{principal}`"

        spark.sql(grant_sql)

    log_role_assignment(principal, role, catalog)
```

## ABAC (Attribute-Based Access Control)

### Attribute-Based Policies
```python
def create_abac_policy(resource: str, attributes: dict):
    """Create attribute-based access policy."""
    policy_conditions = []

    # Department-based access
    if "department" in attributes:
        policy_conditions.append(
            f"department = '{attributes['department']}' OR IS_ACCOUNT_GROUP_MEMBER('admin')"
        )

    # Clearance level-based
    if "clearance_level" in attributes:
        policy_conditions.append(
            f"user_clearance >= {attributes['clearance_level']}"
        )

    # Time-based access
    if "business_hours_only" in attributes:
        policy_conditions.append(
            "HOUR(NOW()) BETWEEN 8 AND 18"
        )

    # Generate policy function
    policy_sql = f"""
    CREATE FUNCTION abac_{resource}_policy()
    RETURNS BOOLEAN
    RETURN {' AND '.join(policy_conditions)};
    """

    spark.sql(policy_sql)
```

## Row-Level Security

### Pattern 1: Regional Access Control
```sql
CREATE FUNCTION regional_access(region STRING)
RETURNS BOOLEAN
RETURN CASE
  WHEN IS_ACCOUNT_GROUP_MEMBER('global_access') THEN TRUE
  WHEN IS_ACCOUNT_GROUP_MEMBER('us_team') AND region = 'US' THEN TRUE
  WHEN IS_ACCOUNT_GROUP_MEMBER('eu_team') AND region = 'EU' THEN TRUE
  ELSE FALSE
END;

ALTER TABLE sales_data SET ROW FILTER regional_access ON (region);
```

### Pattern 2: Multi-Tenant Isolation
```sql
CREATE FUNCTION tenant_filter(tenant_id STRING)
RETURNS BOOLEAN
RETURN current_user() LIKE CONCAT(tenant_id, '@%')
    OR IS_ACCOUNT_GROUP_MEMBER('support_admin');

ALTER TABLE saas.customer_data SET ROW FILTER tenant_filter ON (tenant_id);
```

### Pattern 3: Department-Based Access
```sql
CREATE FUNCTION department_access(dept STRING)
RETURNS BOOLEAN
RETURN IS_ACCOUNT_GROUP_MEMBER(CONCAT('dept_', LOWER(dept)))
    OR IS_ACCOUNT_GROUP_MEMBER('hr_admin');

ALTER TABLE employees SET ROW FILTER department_access ON (department);
```

## Column Masking

### Pattern 1: Conditional Masking
```sql
CREATE FUNCTION mask_email(email STRING)
RETURNS STRING
RETURN CASE
  WHEN IS_ACCOUNT_GROUP_MEMBER('pii_admin') THEN email
  WHEN IS_ACCOUNT_GROUP_MEMBER('pii_viewer') THEN
    CONCAT(LEFT(email, 3), '***@', SPLIT(email, '@')[1])
  ELSE 'REDACTED'
END;

ALTER TABLE customers ALTER COLUMN email SET MASK mask_email;
```

### Pattern 2: SSN Masking
```sql
CREATE FUNCTION mask_ssn(ssn STRING)
RETURNS STRING
RETURN CASE
  WHEN IS_ACCOUNT_GROUP_MEMBER('hr_full') THEN ssn
  WHEN IS_ACCOUNT_GROUP_MEMBER('hr_partial') THEN CONCAT('XXX-XX-', RIGHT(ssn, 4))
  ELSE 'XXX-XX-XXXX'
END;

ALTER TABLE employees ALTER COLUMN ssn SET MASK mask_ssn;
```

## Least Privilege Enforcement

```python
def enforce_least_privilege(catalog: str):
    """Remove excessive permissions and enforce least privilege."""
    # Find overly permissive grants
    all_grants = spark.sql(f"SHOW GRANTS ON CATALOG {catalog}").collect()

    for grant in all_grants:
        # Replace ALL PRIVILEGES with specific grants
        if grant.privilege == "ALL PRIVILEGES" and grant.principal not in ['platform_admin']:
            revoke_excessive_grant(grant)
            apply_minimal_grants(grant.principal, catalog)

        # Remove MODIFY from read-only users
        if grant.privilege == "MODIFY" and grant.principal in readonly_users:
            spark.sql(f"REVOKE MODIFY ON CATALOG {catalog} FROM `{grant.principal}`")
```

## Access Reviews

### Quarterly Access Review
```python
def conduct_quarterly_review(catalog: str):
    """Quarterly access recertification."""
    grants = get_all_grants(catalog)

    review_items = {
        "excessive_access": find_excessive_permissions(grants),
        "unused_access": find_unused_permissions(grants),
        "stale_accounts": find_stale_users(grants),
        "orphaned_grants": find_orphaned_grants(grants)
    }

    # Generate review report
    report = generate_review_report(review_items)

    # Send to data stewards for approval
    send_for_recertification(report, data_stewards)

    return report
```

## Best Practices

1. **Least Privilege**: Grant minimum required permissions
2. **Separation of Duties**: No single user has complete control
3. **Regular Reviews**: Quarterly access recertification
4. **Time-Bound Access**: Temporary grants for contractors
5. **Service Principal Ownership**: Use SPs not individuals
6. **Audit Trail**: Log all permission changes

## Templates

- **rbac-framework.sql**: Complete RBAC setup
- **row-filter-patterns.sql**: Row-level security patterns
- **masking-functions.sql**: Column masking library
- **access-review.py**: Automated review workflow

## Examples

- **regional-isolation**: Multi-region access control
- **multi-tenant-security**: Tenant isolation patterns
- **conditional-masking**: Dynamic data masking

Related Skills

accessing-github-repos

from diegosouzapw/awesome-omni-skill

GitHub repository access in containerized environments using REST API and credential detection. Use when git clone fails, or when accessing private repos/writing files via API.

accessible-web-dev

from diegosouzapw/awesome-omni-skill

Build WCAG 2.1 AA compliant web applications for University of Sheffield. Covers semantic HTML, ARIA patterns, form accessibility, keyboard navigation, color contrast, alt text, captions, and automated testing. Use when creating websites, web apps, forms, interactive components, or auditing accessibility for WCAG compliance, screen readers, keyboard access, or inclusive design.

accessibility-wcag

from diegosouzapw/awesome-omni-skill

Build accessible web applications following WCAG 2.1/2.2 guidelines with proper semantic HTML, ARIA attributes, keyboard navigation, screen reader support, and inclusive design. Use when implementing ARIA labels and roles, ensuring keyboard navigation, supporting screen readers, providing text alternatives for images, managing focus, creating accessible forms, building inclusive UI components, testing with accessibility tools, meeting WCAG compliance levels, or designing for users with disabilities.

accessibility-standards

from diegosouzapw/awesome-omni-skill

Implement WCAG 2.1 accessibility standards for Vue 3 apps. Use when adding ARIA labels, keyboard navigation, screen reader support, or checking color contrast. Mentions "accessibility", "ARIA", "keyboard nav", "screen reader", or "color contrast".

accessibility-review

from diegosouzapw/awesome-omni-skill

Reviews UI for accessibility issues against WCAG 2.1/2.2 AA. Triggers on "is this accessible?", "check accessibility", or contrast/a11y review requests.

accessibility-report

from diegosouzapw/awesome-omni-skill

Generate accessibility compliance reports including VPAT and ACR documents

accessibility-readability

from diegosouzapw/awesome-omni-skill

Ensure textbook content is accessible, readable, and understandable for learners of all skill levels. Use when reviewing content for clarity, adding explanations for beginners, or improving content accessibility.

accessibility-patterns

from diegosouzapw/awesome-omni-skill

Build inclusive web experiences following WCAG guidelines. Covers semantic HTML, ARIA, keyboard navigation, color contrast, and testing strategies. Triggers on accessibility, a11y, WCAG, screen readers, or inclusive design requests.

accessibility-mobile

from diegosouzapw/awesome-omni-skill

React Native accessibility patterns for iOS and Android. Use when implementing a11y features.

accessibility

from diegosouzapw/awesome-omni-skill

Audit and improve web accessibility following WCAG 2.1 guidelines. Use when asked to "improve accessibility", "a11y audit", "WCAG compliance", "screen reader support", "keyboard navigation", or "make accessible". Do NOT use for SEO (use seo), performance (use core-web-vitals), or comprehensive site audits covering multiple areas (use web-quality-audit).

accessibility-games

from diegosouzapw/awesome-omni-skill

Game accessibility skill for colorblind modes and control remapping.

accessibility-excellence

from diegosouzapw/awesome-omni-skill

Master web accessibility (A11y) to ensure your product is usable by everyone, including people with disabilities. Covers WCAG standards, semantic HTML, keyboard navigation, screen readers, color contrast, and inclusive design practices. Accessibility is not a feature—it's a fundamental requirement.