---

# ü•â LEVEL 1: Access Control Designer

**Difficulty:** Intermediate

## üìö What You'll Learn

- Unity Catalog permission model
- GRANT and REVOKE syntax
- Difference between SELECT, MODIFY, CREATE
- Schema-level vs table-level permissions

## üéØ Your Mission

Design the basic access control model for the three teams. No fancy features yet - just get the permissions right.

## üìù Task Instructions

### Step 1: Understand the Current Tables

First, explore what tables exist:

In [0]:
%sql
-- Check what tables we have from the pipeline
-- Note: Pipeline tables are in 'default' schema, ML tables in 'e2eai_iot_turbine'
SHOW TABLES IN default;

In [0]:
%sql
SHOW GROUPS;

### Step 2: Understand Your Available Groups

In Databricks Unity Catalog **Free Edition**, you can use these **Account-level** groups:

**Available Groups:**
- `analysts` - Operational users who work with cleaned data
- `dataengineers` - Build pipelines and ML models (broader access)
- `users` - General users / management (read-only, aggregated views)
- `admins` - Full admin rights

> ‚ö†Ô∏è **Important:** Only **Account-level** groups work with GRANT statements. Workspace-level groups will cause `PRINCIPAL_DOES_NOT_EXIST` errors.

### üìù Your Schema Design

Document your decision:

```
My Architecture Choice: [Option A / Option B / Custom]

Reasoning:
- [Why did you choose this structure?]
- [How does it meet security requirements?]
- [What are the tradeoffs?]

Schema Structure:
Schema 1: _______________
  Purpose: _______________
  Teams with access: _______________
  
Schema 2: _______________
  Purpose: _______________
  Teams with access: _______________

[Add more schemas if needed]
```

In [0]:
%sql
-- Option B: Create new schemas (optional)
CREATE SCHEMA IF NOT EXISTS turbine_operations;
CREATE SCHEMA IF NOT EXISTS turbine_analytics;
CREATE SCHEMA IF NOT EXISTS turbine_executive;

-- Grant schema-level permissions
-- analysts group: READ access to operations schema
GRANT USAGE, SELECT ON SCHEMA turbine_operations TO `analysts`;

-- dataengineers group: FULL access to analytics schema
GRANT USAGE, SELECT, MODIFY, CREATE ON SCHEMA turbine_analytics TO `dataengineers`;

-- users group: READ access to executive schema
GRANT USAGE, SELECT ON SCHEMA turbine_executive TO `users`;

### Step 4: Grant Permissions - Team A (Analysts Group)

**Requirements for `analysts` group:**
- READ access to operational data (sensor_hourly, turbine, parts, historical_turbine_status)
- NO access to raw bronze tables
- NO WRITE access (read-only)

**Implementation:**


In [0]:
%sql
-- GRANT statements for analysts group
-- Note: Pipeline tables are in 'default' schema

-- Option A: Table-level permissions (more granular control)
%sql
GRANT SELECT ON TABLE default.sensor_hourly TO `analysts`;
GRANT SELECT ON TABLE default.turbine TO `analysts`;
GRANT SELECT ON TABLE default.parts TO `analysts`;
GRANT SELECT ON TABLE default.historical_turbine_status TO `analysts`;

-- Option B (if you created turbine_operations schema):

-- GRANT USAGE, SELECT ON SCHEMA turbine_operations TO `analysts`;SHOW GRANTS ON TABLE default.sensor_hourly;

-- Verify grants

### Step 5: Grant Permissions - Team B (Dataengineers Group)

**Requirements for `dataengineers` group:**
- READ access to ALL sensor data (including raw bronze tables)
- WRITE access to analytics/ML tables
- SELECT + MODIFY on schemas for experimentation

**Implementation:**

In [0]:
%sql
-- GRANT statements for dataengineers group
-- Note: Pipeline tables in 'default', ML tables in 'e2eai_iot_turbine'

%sql
-- Option A: Schema-level permissions (grants access to all tables in schema)
GRANT SELECT ON SCHEMA default TO `dataengineers`;
GRANT SELECT, MODIFY ON SCHEMA e2eai_iot_turbine TO `dataengineers`;

-- Option B (if you created turbine_analytics schema):
-- GRANT USAGE, SELECT, MODIFY, CREATE ON SCHEMA turbine_analytics TO `dataengineers`;

-- Verify grants
SHOW GRANTS ON SCHEMA default;

### Step 6: Grant Permissions - Team C (Users Group)

**Requirements for `users` group:**
- READ access ONLY to aggregated views/dashboards
- NO access to raw sensor data
- NO access to technical tables

**Strategy:** Create views first, then grant access to views only.

**Alternative:** Grant to your personal account instead of the users group.

In [0]:
%sql
-- First, create an executive KPI view
-- Note: sensor_hourly is in 'default' schema from pipeline
CREATE OR REPLACE VIEW default.executive_kpi_dashboard AS
SELECT
  DATE(window.start) as date,
  COUNT(DISTINCT turbine_id) as active_turbines,
  SUM(avg_power) as total_power_output_kw,
  AVG(avg_power) as avg_power_per_turbine
  -- Add more KPIs but NO raw sensor data!
FROM default.sensor_hourly
GROUP BY DATE(window.start);

In [0]:
%sql
-- GRANT access to view only (NOT underlying tables)
-- Option 1: Use 'users' group (Account-level group)
%sql
GRANT SELECT ON VIEW default.executive_kpi_dashboard TO `users`;

-- Option 2: Use 'analysts' group instead
-- GRANT SELECT ON VIEW default.executive_kpi_dashboard TO `analysts`;

-- GRANT USAGE, SELECT ON SCHEMA turbine_executive TO `users`;

-- Option 3 (if you created turbine_executive schema):-- Create view in executive schema, then grant schema access

### Step 7: Verify Permissions

Check what permissions you've granted:

In [0]:
%sql
-- Check grants for a specific table
%sql
SHOW GRANTS ON TABLE default.sensor_hourly;

In [0]:
%sql
-- Check grants for a schema
%sql
SHOW GRANTS ON SCHEMA default;

## üìä Success Criteria

‚úÖ Created user groups for all 3 teams  
‚úÖ Granted appropriate READ permissions  
‚úÖ Restricted WRITE access to data scientists only  
‚úÖ Created executive view with aggregated data only  
‚úÖ Verified permissions with SHOW GRANTS  

**Level 1 Complete!** üéâ You've designed basic access control!

---

# ü•à LEVEL 2: Security Architect

**Difficulty:** Advanced

## üìö What You'll Learn

- Row-level security (filtering data by user)
- Column-level access control via views
- Handling edge cases (users in multiple groups)
- View-based security patterns (Free Edition compatible)

> üí° **Free Edition Note:** This level uses **Views** to implement security patterns. Views let you control row-level and column-level access without Enterprise features like dynamic masking.

## üîç Real-World Scenarios

**Problem Areas:**
1. Different users need different rows (regional data)
2. Different users need different columns (sensitive fields)
3. A user in multiple groups has conflicting permissions

**Goal:** Implement view-based security to handle these issues.

## üìù Task Instructions

### Step 1: Identify Sensitive Columns

**Review your tables and identify sensitive data:**

```
Table: parts
- Potentially sensitive: supplier info, cost data
- Who should see: Analysts (operational), Users/management (costs)

Table: sensor_bronze
- Contains: Raw sensor data with possible errors/noise
- Who should see: Dataengineers only (for ML)
- Analysts: Should use sensor_hourly (cleaned)

Table: sensor_hourly
- Contains: Aggregated, cleaned sensor data
- Who should see: All groups (operational data)

Table: turbine, historical_turbine_status
- Contains: Turbine metadata and status
- Who should see: All groups (different views)

Table: turbine_training_dataset
- Contains: ML features, may include sensitive patterns
- Who should see: Dataengineers only

Sensitive Columns in turbine table (example):
- `model` ‚Üí Everyone can see
- `capacity` ‚Üí Everyone can see
- `purchase_date` ‚Üí Limit to management (users group)?
- `purchase_cost` ‚Üí Limit to management (users group)?
```

**Your Task:** List sensitive columns here:
```
[Document which columns should be restricted and to whom]
```

### üìù Your Sensitive Data Audit

Document what needs protection:

```
Table: _______________________
Column: _______________________
  Sensitivity: [Confidential / Internal / Public]
  Accessible by: [Which teams?]
  Masking strategy: [Redact / Hash / Aggregate / Filter]

[Repeat for all sensitive columns]
```

### Step 2: Implement Row-Level Security

**Scenario:** Different analysts work in different regions. They should only see turbines in THEIR region.

**Implementation:** Create views with row filters based on user attributes.

In [0]:
-- First, create a user-region mapping table
CREATE OR REPLACE TABLE default.user_regions (
  username STRING,
  allowed_region STRING
);

-- Insert sample data
INSERT INTO default.user_regions VALUES
  ('tech_chicago@company.com', 'Chicago'),
  ('tech_miami@company.com', 'Miami'),
  ('tech_nyc@company.com', 'New York');

In [None]:
-- Create a runnable row-filtered view that joins to turbine to get location
CREATE OR REPLACE VIEW default.sensor_hourly_my_region AS
SELECT s.*
FROM default.sensor_hourly s
INNER JOIN default.turbine t ON s.turbine_id = t.turbine_id
WHERE t.location IN (
  SELECT allowed_region
  FROM default.user_regions
  WHERE username = current_user()
);

In [0]:
-- Test view: simulate a fixed user (Chicago) to validate the row filter without switching users
CREATE OR REPLACE VIEW default.sensor_hourly_my_region_for_chicago AS
SELECT s.*
FROM default.sensor_hourly s
INNER JOIN default.turbine t ON s.turbine_id = t.turbine_id
WHERE t.location IN (
  SELECT allowed_region
  FROM default.user_regions
  WHERE username = 'tech_chicago@company.com'
);

-- Quick test query (uncomment to run in a SQL cell):
-- SELECT * FROM default.sensor_hourly_my_region_for_chicago LIMIT 20;

### Step 3: Column-Level Access Control

**Goal:** Show how to provide different column sets to different groups using views (no Enterprise masking).

**Task:**
- Create an operational view for `analysts` that includes only the relevant columns from `default.turbine`.
- Create an analytics view for `dataengineers` that includes ML features from `turbine_current_features`.
- Grant `SELECT` on the views only, not on the raw tables.

**Validation:** Run example `SELECT` statements on the views and compare column counts and names.

In [0]:
-- Create group-specific views with different column sets

-- Operational view for Analysts (limited, safe columns)
CREATE OR REPLACE VIEW default.turbine_operational_view AS
SELECT
  turbine_id,
  model,
  location,
  lat,
  long
FROM default.turbine;

-- Analytics view for Dataengineers (including derived/ML features)
CREATE OR REPLACE VIEW default.turbine_analytics_view AS
SELECT
  t.*,
  tf.avg_energy,
  tf.std_energy,
  tf.trend_energy
FROM default.turbine t
LEFT JOIN default.turbine_current_features tf ON t.turbine_id = tf.turbine_id;

-- Validation queries (run these to inspect columns/data):
-- SELECT * FROM default.turbine_operational_view LIMIT 10;
-- SELECT * FROM default.turbine_analytics_view LIMIT 10;

In [0]:
-- Grant appropriate views to each group (Account-level groups required)
GRANT SELECT ON VIEW default.turbine_operational_view TO `analysts`;
GRANT SELECT ON VIEW default.turbine_analytics_view TO `dataengineers`;

-- Optional: Restrict users to executive KPI view only
GRANT SELECT ON VIEW default.executive_kpi_dashboard TO `users`;

-- Verify grants with SHOW GRANTS statements after running the above
-- SHOW GRANTS ON VIEW default.turbine_operational_view;
-- SHOW GRANTS ON VIEW default.turbine_analytics_view;

In [None]:
-- TEST (Step 3): Validate column-level views
-- Run these queries to inspect columns and sample data for each view.
SELECT column_name FROM information_schema.columns WHERE table_schema = 'default' AND table_name = 'turbine_operational_view';
SELECT column_name FROM information_schema.columns WHERE table_schema = 'default' AND table_name = 'turbine_analytics_view';

SELECT COUNT(*) AS operational_rows FROM default.turbine_operational_view;
SELECT COUNT(*) AS analytics_rows FROM default.turbine_analytics_view;

SELECT * FROM default.turbine_operational_view LIMIT 10;
SELECT * FROM default.turbine_analytics_view LIMIT 10;

### Step 4: Handle Edge Cases

**Goal:** Describe how to handle conflicts between group memberships, temporary rights, and emergency access ‚Äî using concrete Free Edition-compatible steps.

**Common Cases & Recommendations:**
- **User in multiple groups:** Unity Catalog applies the combined (most permissive) permissions. Document exceptions in the `permission_tracking` table (manual audit).
- **Temporary access (e.g. 1 week):** Grant rights directly to the user or to a temporary group, log the reason and expiry in `default.permission_tracking`, and remove the rights after expiry.
- **Emergency Override:** Use the `admins` group for immediate access, log the change, and revert after incident review.

**Task:**
- Implement a simple process: GRANT ‚Üí INSERT into `permission_tracking` with a `review_date` ‚Üí after expiry REVOKE and UPDATE status.

**Example SQL (Manual workflow):**
```sql
-- 1) Grant temporary SELECT to a user (manual step)
GRANT SELECT ON VIEW default.turbine_operational_view TO 'contractor@example.com';

-- 2) Record the grant in permission_tracking with a review_date
INSERT INTO default.permission_tracking (grant_date, grantee, object_type, object_name, privilege, granted_by, justification, review_date) VALUES (
  current_timestamp(), 'contractor@example.com', 'VIEW', 'default.turbine_operational_view', 'SELECT', current_user(), 'Temporary contractor access', current_timestamp() + INTERVAL 7 DAYS
);
```

**Validation & Cleanup:**
- Regularly run `SELECT * FROM default.permission_tracking WHERE review_date < current_timestamp()` and perform REVOKE/cleanup.
- Keep the policy simple: temporary rights must include a justification and an expiry.

In [None]:
-- TEST (Step 4): Validate permission_tracking workflow
-- 1) Show current entries that need review
SELECT grantee, object_name, privilege, grant_date, review_date, justification
FROM default.permission_tracking
WHERE review_date < current_timestamp() + INTERVAL 30 DAYS
ORDER BY review_date;

-- 2) Example: find expired entries (review_date passed)
SELECT * FROM default.permission_tracking WHERE review_date < current_timestamp();

-- 3) Example cleanup pattern (manual step):
-- For each expired entry: REVOKE privilege and then update the tracking row. Replace placeholders before running.
-- REVOKE SELECT ON VIEW default.turbine_operational_view FROM 'contractor@example.com';
-- UPDATE default.permission_tracking SET justification = concat(justification, ' -- revoked on ', current_timestamp()) WHERE grantee = 'contractor@example.com' AND object_name = 'default.turbine_operational_view';

### üìù Your Edge Case Strategy

**Scenario Analysis:**

**Case 1: User in Multiple Groups**
```
User: sarah@company.com
Groups: analysts, dataengineers
Expected behavior: Most permissive (Unity Catalog default)
  - Gets SELECT from analysts group
  - Gets SELECT + MODIFY from dataengineers group
  - Final permissions: SELECT + MODIFY (most permissive wins)
Your implementation: Unity Catalog automatically handles this
```

**Case 2: Temporary Access**
```
A contractor needs 1-week access to specific turbine data.
Your solution: 
  - Create temporary user account
  - Add to analysts group
  - Set calendar reminder to remove after 1 week
  - Or grant directly to their email, revoke after period
```

**Case 3: Emergency Override**
```
During an outage, operations team needs immediate access to ALL data.
Your solution: 
  - Add user to admins group temporarily
  - Document in permission_tracking table
  - Revoke after incident resolved
  - Review access in post-mortem
```

## üìä Success Criteria

‚úÖ Created row-level security filters using views  
‚úÖ Set up column-level access control via views  
‚úÖ Documented edge case handling strategy  
‚úÖ Validated security with test queries  

**Level 2 Complete!** üéâ You've implemented view-based security!

---

# ü•á LEVEL 3: Real-World Application & Best Practices

**Difficulty:** Advanced | **Time:** 45 minutes

> üí° **Free Edition Note:** This level focuses on **documentation and manual processes** since automated enterprise features (system audit logs, alerting) require Unity Catalog Pro/Enterprise.

## üìö What You'll Learn

- Document governance decisions for your team
- Create manual permission backup/restore procedures
- Understand data lineage and impact analysis
- Design access review workflows
- Apply governance principles to real scenarios

## üéØ Your Mission

You've implemented technical controls in Level 1 & 2. Now make your governance framework **maintainable, auditable, and team-ready**.

1. Automated compliance reporting
2. Data lineage tracking
3. Regular access reviews
4. Incident response procedures

**Goal:** Build a production-ready governance system that scales.

## üìù Implementation Guide

### Component 1: Governance Documentation

**Create a governance playbook that includes:**


### üìã Your Governance Playbook

Complete this template:

---

## **WIND TURBINE DATA GOVERNANCE PLAYBOOK**

### 1. Access Control Matrix

| Group Name | Source | Schema Access | Table Access | Permission Level | Approval Required |
|------------|--------|---------------|--------------|------------------|-------------------|
| `analysts` | Account ‚úÖ | default | sensor_hourly, turbine, parts | SELECT | Manager approval |
| `dataengineers` | Account ‚úÖ | default, e2eai_iot_turbine | ALL | SELECT, MODIFY | Lead approval |
| `users` | Account ‚úÖ | default | KPI views only | SELECT | Management approval |
| `admins` | Account ‚úÖ | ALL | ALL | ALL | Security team |

‚ö†Ô∏è **Note:** Only Account-level groups work with GRANT statements. Workspace-level groups cannot be used as principals.

### 2. Data Classification

| Classification | Examples | Who Can Access | Encryption | Audit Level |
|----------------|----------|----------------|------------|-------------|
| Public | Fleet size, location names | All employees | No | Basic |
| Internal | Sensor readings | Tech + DS + Execs | TLS | Standard |
| Confidential | Cost data, failure predictions | Execs + DS only | TLS + at-rest | Enhanced |
| Restricted | Strategic plans | Execs only | Full encryption | Complete |

### 3. Incident Response Procedures

**Scenario: Unauthorized Access Detected**
1. Step 1: Immediately revoke access using `REVOKE` statement
2. Step 2: Check audit logs with `SHOW GRANTS` queries
3. Step 3: Notify security team
4. Step 4: Review similar permissions for other users

**Scenario: Data Leak**
1. Step 1: Identify affected tables/schemas
2. Step 2: Revoke all external access immediately
3. Step 3: Review data lineage to find downstream impacts
4. Step 4: Restore from grants_backup if needed

### 4. Access Review Schedule

- **Monthly:** Review new user additions
- **Quarterly:** Audit all analyst/dataengineer group membership
- **Annually:** Complete access recertification
- **Ad-hoc:** After employee role changes

### 5. Compliance Checklist

- [ ] GDPR: Personal data minimized
- [ ] SOC 2: Access controls documented
- [ ] ISO 27001: Periodic access reviews
- [ ] Internal: Cost data protected
- [ ] Internal: Audit trail enabled

---

### Component 2: Manual Permission Tracking

**Task:** Create a manual tracking system for permissions (since system tables aren't available in Free Edition).

In [0]:
-- Create a manual permission tracking table in default schema

CREATE TABLE IF NOT EXISTS default.permission_tracking (
  grant_date TIMESTAMP,
  grantee STRING,
  object_type STRING,  -- 'SCHEMA', 'TABLE', 'VIEW'
  object_name STRING,
  privilege STRING,  -- 'SELECT', 'MODIFY', 'ALL'
  granted_by STRING,
  justification STRING,
  review_date TIMESTAMP
);

-- Example: Log a permission grant manually
%sql
INSERT INTO default.permission_tracking VALUES (
  current_timestamp(),
  'analysts',
  'TABLE',
  'default.sensor_hourly',
  'SELECT',
  current_user(),
  'Operational data access for analysts group',
  current_timestamp() + INTERVAL 90 DAYS
);

In [0]:
-- Query your permission tracking table

SELECT 
  grantee,
  object_name,
  privilege,
  grant_date,
  review_date,
  DATEDIFF(review_date, current_timestamp()) as days_until_review
FROM default.permission_tracking
WHERE review_date < current_timestamp() + INTERVAL 30 DAYS
ORDER BY review_date;

-- This helps you identify permissions that need review soon

### Component 3: Data Lineage Documentation

**Purpose:** Understand data flow and impact of changes.

**Task:** Manually document your data lineage (Unity Catalog Free Edition has basic lineage in UI).

### Component 3: Manual Data Lineage Documentation

**Task:** Track data lineage manually (since automated lineage requires Enterprise features).

**Example Data Flows:**

```
SOURCE ‚Üí TRANSFORMATION ‚Üí DESTINATION ‚Üí CONSUMERS
=================================================

Flow 1: Sensor Data Pipeline
sensor_bronze (raw IoT stream)
  ‚Üí sensor_hourly (hourly aggregation via MATERIALIZED VIEW)
  ‚Üí executive_kpi_dashboard (aggregated view)
  ‚Üí Used by: Users/Management team
  
Impact Analysis:
- If sensor_bronze schema changes ‚Üí sensor_hourly breaks
- If sensor_hourly changes ‚Üí management dashboard breaks
- Affected teams: Analysts, Dataengineers, Users

Flow 2: ML Training Pipeline
sensor_bronze ‚Üí turbine_training_dataset ‚Üí ML Model Training
  ‚Üí Used by: Dataengineers team
  
Impact Analysis:
- Schema changes affect model training
- Need to retrain models if features change

Flow 3: Operational Data

turbine (metadata) + parts (maintenance) ‚Üí Analyst dashboards- Update after each schema/pipeline change

  ‚Üí Used by: Analysts team- Document dependencies in this notebook or a shared document

- Check Unity Catalog UI ‚Üí Data Explorer ‚Üí Select table ‚Üí "Lineage" tab

[YOUR TASK: Document your actual lineage here]**Manual Lineage Tracking:**

```

### Component 4: Manual Access Reviews

**Task:** Create queries to support quarterly access reviews (using SHOW GRANTS since system tables aren't available).

In [0]:
-- Query 1: Check all grants on sensitive tables manually

-- Check sensor_bronze (should be data scientists only)
SHOW GRANTS ON TABLE default.sensor_bronze;

-- Check parts table
SHOW GRANTS ON TABLE default.parts;

-- Check training dataset
SHOW GRANTS ON TABLE default.turbine_training_dataset;

-- YOUR TASK: Document results in permission_tracking table

In [0]:
-- Query 2: Review all schema-level grants

SHOW GRANTS ON SCHEMA default;

-- Review table-level grants for key tables
SHOW GRANTS ON TABLE default.sensor_hourly;
SHOW GRANTS ON TABLE default.turbine;

-- YOUR TASK: Run these quarterly and document in permission_tracking

### üìã Access Review Checklist

Create a quarterly review process:

**Every Quarter:**
1. Run `SHOW GRANTS` on all sensitive tables
2. Review permission_tracking table for upcoming review dates
3. Verify each group still needs their current access
4. Document review in permission_tracking:
   ```sql
   UPDATE default.permission_tracking
   SET review_date = current_timestamp() + INTERVAL 90 DAYS
   WHERE grantee = 'team_name' AND object_name = 'table_name';
   ```
5. Revoke unnecessary permissions
6. Share review results with management

**Red Flags to Check:**
- Users with access to tables they don't use
- Broad schema-level grants when table-level would suffice
- Groups with MODIFY rights that only need SELECT

### Component 5: Permission Backup & Recovery

**Scenario:** You accidentally revoke critical permissions! How do you recover?

**Task:** Create a manual backup procedure.

In [0]:
-- Manual backup strategy (Free Edition compatible)

-- Step 1: Export all current grants to a table
CREATE TABLE IF NOT EXISTS default.grants_backup (
  backup_date TIMESTAMP,
  object_type STRING,
  object_name STRING,
  grant_statement STRING
);

-- Step 2: Manually record key grants (using built-in groups)
%sql
INSERT INTO default.grants_backup VALUES
  (current_timestamp(), 'TABLE', 'default.sensor_hourly', 'GRANT SELECT ON TABLE default.sensor_hourly TO `analysts`;'),
  (current_timestamp(), 'TABLE', 'default.turbine', 'GRANT SELECT ON TABLE default.turbine TO `analysts`;'),
  (current_timestamp(), 'SCHEMA', 'default', 'GRANT SELECT ON SCHEMA default TO `dataengineers`;'),
  (current_timestamp(), 'SCHEMA', 'e2eai_iot_turbine', 'GRANT SELECT, MODIFY ON SCHEMA e2eai_iot_turbine TO `dataengineers`;');

-- YOUR TASK: Add all your GRANT statements here

In [0]:
-- Restore procedure: Query and execute

SELECT grant_statement
FROM default.grants_backup
WHERE backup_date = (SELECT MAX(backup_date) FROM default.grants_backup)
ORDER BY object_name;

-- Copy the output and execute each GRANT statement manually
-- This restores your permissions to the last backup state

### Component 6: Manual Compliance Reporting

**Task:** Create a manual compliance checklist (since automated reporting needs system tables).

### üìä Quarterly Compliance Report Template

**Report Date:** _______
**Reviewed By:** _______

#### 1. Access Control Coverage
- [ ] All sensitive tables have explicit grants (sensor_bronze, parts, turbine_training_dataset)
- [ ] No overly broad schema-level grants
- [ ] Analysts: SELECT only on operational tables
- [ ] Dataengineers: SELECT on all data, SELECT + MODIFY on e2eai_iot_turbine schema
- [ ] Users/Executives: SELECT only on aggregated views

#### 2. Permission Inventory
Run these queries and document results:
```sql
SHOW GRANTS ON SCHEMA default;
SHOW GRANTS ON SCHEMA e2eai_iot_turbine;
SHOW GRANTS ON TABLE default.sensor_bronze;
SHOW GRANTS ON TABLE default.sensor_hourly;
SHOW GRANTS ON TABLE default.turbine;
```

**Total Groups with Access:** _____
**Total Tables Protected:** _____

#### 3. Data Masking Verification
- [ ] Executive views show aggregated data only (no raw sensor values)
- [ ] Analyst views exclude sensitive columns
- [ ] Test queries validated

#### 4. Violations Found
List any issues:
1. _______
2. _______

#### 5. Remediation Actions
1. _______
2. _______

### Component 7: Incident Response Playbook

**Task:** Set up alerts for security violations.

**Pseudo-code for alert system:**

```python
# Alert Rule 1: Unusual access patterns
if user_access_count > 1000 in last_hour:
    send_alert(f"User {username} accessed {table} {count} times")

# Alert Rule 2: Sensitive table access by unauthorized user
if accessed_table == 'sensor_bronze' and user_group not in ['dataengineers', 'admins']:
    send_critical_alert(f"Unauthorized access attempt by {username}")

# Alert Rule 3: Permission changes
if action in ['GRANT', 'REVOKE']:
    send_notification(f"Permission change: {action} {table} to {user}")
```

In Databricks, implement with:
- **Databricks SQL Alerts** on audit log queries
- **Webhooks** to Slack/Email/PagerDuty
- **Jobs** that run hourly/daily checks

## ‚úÖ Validation Steps

### Governance Framework Checklist

1. **Documentation Complete**
   - [ ] Access control matrix filled out
   - [ ] Data classification defined
   - [ ] Incident response procedures documented
   - [ ] Compliance checklist created

2. **Technical Implementation**
   - [ ] Permission tracking table created
   - [ ] Data lineage documented
   - [ ] Manual access review queries working
   - [ ] Grant backup system in place
   - [ ] Quarterly compliance template ready

3. **Operational Readiness**
   - [ ] Team trained on playbook
   - [ ] Quarterly review schedule set
   - [ ] Incident response procedures documented
   - [ ] Permission backup tested

### Test Your System

```sql
-- Test 1: Check permission tracking
SELECT * FROM default.permission_tracking 
ORDER BY grant_date DESC LIMIT 10;

-- Test 2: Verify grants on sensitive tables
SHOW GRANTS ON TABLE default.sensor_bronze;
SHOW GRANTS ON TABLE default.parts;

-- Test 3: Test restore from backup
SELECT grant_statement FROM default.grants_backup
WHERE backup_date = (SELECT MAX(backup_date) FROM default.grants_backup);
-- Copy and test one GRANT statement

-- Test 4: Check upcoming reviews
SELECT * FROM default.permission_tracking
WHERE review_date < current_timestamp() + INTERVAL 30 DAYS;
```

## üìä Success Criteria

‚úÖ Complete governance playbook documented  
‚úÖ Manual permission tracking operational  
‚úÖ Data lineage mapped and documented  
‚úÖ Manual access review process created  
‚úÖ Grant backup and restore system working  
‚úÖ Compliance reporting template created  
‚úÖ Incident response procedures defined  

**Level 3 Complete!** üèÜ You've created a maintainable governance framework!

> üí° **Free Edition Reality Check:** This level used manual processes suitable for Free Edition. In Pro/Enterprise, many of these would be automated via system tables, audit logs, and alerting.

---

# üéì Final Reflection & Next Steps

## üéâ Congratulations!

You've built a **production-ready data governance framework** from scratch! 

### What You've Mastered

**Technical Skills:**
- ‚úÖ Unity Catalog permission model (GRANT/REVOKE)
- ‚úÖ Data masking and column-level security
- ‚úÖ Row-level security with filtered views
- ‚úÖ Audit logging and compliance reporting
- ‚úÖ Data lineage analysis
- ‚úÖ Disaster recovery procedures

**Governance Principles:**
- ‚úÖ Principle of Least Privilege
- ‚úÖ Defense in Depth (multiple security layers)
- ‚úÖ Auditability and Transparency
- ‚úÖ Separation of Duties
- ‚úÖ Regular Access Reviews

---

## üöÄ Real-World Application

### How This Works in Production

**Scenario: New Employee Onboarding**
```
1. HR creates user account
2. Manager requests access via ticket
3. Governance team reviews playbook
4. Execute GRANT statements
5. User added to audit log
6. Confirmation email sent
```

**Scenario: Security Incident**
```
1. Alert triggered: Unusual access pattern
2. Security team reviews audit logs
3. Identify affected tables via lineage
4. REVOKE access immediately
5. Restore from grants backup if needed
6. Root cause analysis
```

**Scenario: Compliance Audit**
```
1. Auditor requests access reports
2. Run compliance dashboard queries
3. Export results to PDF
4. Demonstrate access controls
5. Show audit trail
6. Pass audit ‚úì
```

---

## üí° Advanced Topics (For Later)

Once you've mastered the basics, explore:

### 1. **Attribute-Based Access Control (ABAC)**
Instead of role-based, use user attributes:
```sql
-- Grant access based on user location, department, clearance level
CREATE VIEW filtered_view AS
SELECT * FROM sensor_data
WHERE location = get_user_attribute('location')
  AND clearance_level >= get_user_attribute('clearance');
```

### 2. **Dynamic Data Masking**
Mask data based on context:
```sql
-- Show full data in production, masked in dev
CASE 
  WHEN current_database() = 'prod' THEN actual_value
  ELSE mask(actual_value)
END
```

### 3. **Time-Based Access**
Temporary permissions that auto-expire:
```sql
-- Grant access for 24 hours only
-- (Requires external automation)
```

### 4. **Cross-Catalog Governance**
Manage permissions across multiple catalogs:
```sql
GRANT SELECT ON * TO `analysts`;
GRANT SELECT ON dev.* TO `data_engineers`;
```

---

## üéØ Next Steps in Your Journey

### Immediate Actions
1. **Apply to Your Data:** Use this framework on your actual datasets
2. **Share with Team:** Present your governance model to stakeholders
3. **Get Feedback:** What security concerns do they have?

### Continue Learning
- **Module 03 - BI Dashboards:** Create compliance dashboards
- **Module 04 - ML:** Governance for ML models and features
- **Module 05 - GenAI:** Security for AI agents accessing data

### Certification Prep
This challenge prepares you for:
- **Databricks Data Engineer Associate**
- **Databricks Data Analyst Associate**
- **Security/Compliance certifications**

---

## üìö Resources

### Documentation
- [Unity Catalog Best Practices](https://docs.databricks.com/data-governance/unity-catalog/best-practices.html)
- [Data Governance Guide](https://docs.databricks.com/data-governance/index.html)
- [Audit Logs](https://docs.databricks.com/administration-guide/account-settings/audit-logs.html)

### Community
- Databricks Community Forums (Data Governance section)
- Unity Catalog GitHub discussions
- LinkedIn #DataGovernance

---

## üèÜ Challenge Badge Unlocked!

**üîê Data Governance Master**

You've completed:
- ‚úÖ Level 1: Access Control Designer
- ‚úÖ Level 2: Security Architect  
- ‚úÖ Level 3: Governance Master

**Share your achievement:**
> "Just completed a comprehensive data governance challenge covering Unity Catalog, data masking, audit logging, and compliance reporting! #DataGovernance #Databricks #UnityCatalog"

---

**Thank you for your dedication to secure, compliant data engineering!** üéâ

*Remember: Good governance isn't about blocking access - it's about enabling safe, responsible data use.*