---

# ü•â LEVEL 1: Access Control Designer

**Difficulty:** Intermediate | **Time:** 30 minutes

## üìö What You'll Learn

- Unity Catalog permission model
- GRANT and REVOKE syntax
- Difference between SELECT, MODIFY, CREATE
- Schema-level vs table-level permissions

## üéØ Your Mission

Design the basic access control model for the three teams. No fancy features yet - just get the permissions right.

## üìù Task Instructions

### Step 1: Understand the Current Tables

First, explore what tables exist:

In [0]:
%sql
-- Check what tables we have from the pipeline
-- Note: Pipeline tables are in 'default' schema, ML tables in 'e2eai_iot_turbine'
%sql
SHOW TABLES IN default;

### Step 2: Design Schema Architecture

**Question:** Should all teams access the same schema, or create separate schemas?

**Current Tables (from Pipeline in `workspace.default`):**
- `turbine` - Turbine metadata
- `sensor_bronze` - Raw sensor data
- `historical_turbine_status` - Historical status records
- `parts` - Parts/maintenance data
- `sensor_hourly` - Hourly aggregated sensor data (Materialized View)
- `turbine_training_dataset` - ML training features (Materialized View)
- `turbine_current_features` - Current feature data (Materialized View)

**Option A - Single Schema (Current State):**
```
default
  ‚îú‚îÄ sensor_bronze (raw data)
  ‚îú‚îÄ sensor_hourly (aggregated - all teams READ)
  ‚îú‚îÄ turbine (metadata - all teams READ)
  ‚îú‚îÄ parts (maintenance info - field techs only?)
  ‚îî‚îÄ turbine_training_dataset (ML features - data scientists only?)
```

**Option B - Multiple Schemas (Recommended for Production):**
```
default (existing pipeline tables)
  ‚îî‚îÄ [Keep raw/bronze tables here]
  
turbine_operations (Team A - Field Techs)
  ‚îú‚îÄ sensor_hourly_view (aggregated data only)
  ‚îú‚îÄ turbine_view (filtered columns)
  ‚îî‚îÄ parts_view (maintenance schedule)
  
turbine_analytics (Team B - Data Scientists)
  ‚îú‚îÄ sensor_bronze (full access for ML)
  ‚îú‚îÄ turbine_training_dataset (ML features)
  ‚îî‚îÄ turbine_current_features (real-time features)
  
turbine_executive (Team C - Execs)
  ‚îú‚îÄ kpi_dashboard_view (aggregated KPIs)
  ‚îî‚îÄ fleet_summary_view (high-level metrics)
```

**Your Task:** Choose your architecture and document it below.

**Note:** For this challenge, you'll work with the existing tables in `default` schema and create views/new schemas as needed.

### üìù Your Schema Design

Document your decision:

```
My Architecture Choice: [Option A / Option B / Custom]

Reasoning:
- [Why did you choose this structure?]
- [How does it meet security requirements?]
- [What are the tradeoffs?]

Schema Structure:
Schema 1: _______________
  Purpose: _______________
  Teams with access: _______________
  
Schema 2: _______________
  Purpose: _______________
  Teams with access: _______________

[Add more schemas if needed]
```

### Step 3: Create User Groups

In Unity Catalog, you manage permissions via **groups**, not individual users.

**Task:** Create groups for each team (or use existing ones):

In [0]:
%sql
-- Create groups for each team
-- Note: You may need admin rights to create groups
-- In Free Edition, groups might be pre-created

-- Check existing groups first
%sql
SHOW GROUPS;

In [0]:
%sql
-- Create new groups (if needed)
-- Uncomment if you have permissions:

-- CREATE GROUP IF NOT EXISTS field_technicians;
-- CREATE GROUP IF NOT EXISTS data_scientists;
-- CREATE GROUP IF NOT EXISTS executives;

-- Verify groups exist
%sql
SHOW GROUPS;

### Step 4: Grant Permissions - Team A (Field Technicians)

**Requirements:**
- READ access to operational data
- NO access to financial tables
- NO WRITE access (they shouldn't modify data)

**Implementation:**

In [0]:
%sql
-- GRANT statements for Team A - Field Technicians
-- Note: Pipeline tables are in 'default' schema

-- Option 1: Grant at schema level (easiest)
-- GRANT USE SCHEMA ON SCHEMA default TO `field_technicians`;
-- GRANT SELECT ON SCHEMA default TO `field_technicians`;

-- Option 2: Grant at table level (more granular control)
-- Use actual tables from pipeline:
GRANT SELECT ON TABLE default.sensor_hourly TO `field_technicians`;
GRANT SELECT ON TABLE default.turbine TO `field_technicians`;
GRANT SELECT ON TABLE default.parts TO `field_technicians`;
GRANT SELECT ON TABLE default.historical_turbine_status TO `field_technicians`;

-- Add more GRANT statements based on your architecture
-- YOUR CODE HERE

### Step 5: Grant Permissions - Team B (Data Scientists)

**Requirements:**
- READ access to ALL sensor data (for ML training)
- WRITE access to analytics/experiment schema
- NO access to production tables for writing

**Implementation:**

In [0]:
%sql
-- GRANT statements for Team B - Data Scientists
-- Note: Pipeline tables in 'default', ML tables in 'e2eai_iot_turbine'

-- Read access to all tables
GRANT SELECT ON SCHEMA default TO `data_scientists`;
GRANT SELECT ON SCHEMA e2eai_iot_turbine TO `data_scientists`;

-- Write access to dedicated analytics schema (if you created one)
-- GRANT ALL PRIVILEGES ON SCHEMA turbine_analytics TO `data_scientists`;

-- Or specific table-level grants:
-- GRANT SELECT, MODIFY ON TABLE turbine_analytics.ml_features TO `data_scientists`;

-- YOUR CODE HERE

### Step 6: Grant Permissions - Team C (Executives)

**Requirements:**
- READ access ONLY to aggregated views/dashboards
- NO access to raw sensor data
- NO access to technical tables

**Strategy:** Create views first, then grant access to views only.

In [0]:
%sql
-- First, create an executive KPI view
-- Note: sensor_hourly is in 'default' schema from pipeline
CREATE OR REPLACE VIEW default.executive_kpi_dashboard AS
SELECT
  DATE(window.start) as date,
  COUNT(DISTINCT turbine_id) as active_turbines,
  SUM(avg_power) as total_power_output_kw,
  AVG(avg_power) as avg_power_per_turbine
  -- Add more KPIs but NO raw sensor data!
FROM default.sensor_hourly
GROUP BY DATE(window.start);

In [0]:
%sql
-- GRANT access to view only (NOT underlying tables)
GRANT SELECT ON VIEW default.executive_kpi_dashboard TO `executives`;

-- Executives should NOT have access to raw tables:
-- REVOKE SELECT ON TABLE default.sensor_bronze FROM `executives`;

-- YOUR CODE HERE

### Step 7: Verify Permissions

Check what permissions you've granted:

In [0]:
%sql
-- Check grants for a specific table
%sql
SHOW GRANTS ON TABLE default.sensor_hourly;

In [0]:
%sql
-- Check grants for a schema
%sql
SHOW GRANTS ON SCHEMA default;

## üìä Success Criteria

‚úÖ Created user groups for all 3 teams  
‚úÖ Granted appropriate READ permissions  
‚úÖ Restricted WRITE access to data scientists only  
‚úÖ Created executive view with aggregated data only  
‚úÖ Verified permissions with SHOW GRANTS  

**Level 1 Complete!** üéâ You've designed basic access control!

---

# ü•à LEVEL 2: Security Architect

**Difficulty:** Advanced

## üìö What You'll Learn

- Data masking techniques
- Row-level security (filtering)
- Column-level access control
- Handling edge cases (users in multiple groups)

## üéØ Your Mission

The basic permissions work, but there are problems:
1. Field techs can see turbine purchase costs (confidential!)
2. Execs accidentally saw raw sensor errors (confusing!)
3. A user in multiple groups has wrong permissions

**Goal:** Implement advanced security features to handle these issues.

## üìù Task Instructions

### Step 1: Identify Sensitive Columns

**Review your tables and identify sensitive data:**

Table: parts
- Potentially sensitive: supplier info, cost data
- Who should see: Field techs (operational), executives (costs)

Table: sensor_bronze
- Contains: Raw sensor data with possible errors/noise
- Who should see: Data scientists only (for ML)
- Field techs: Should use sensor_hourly (cleaned)

Table: sensor_hourly
- Contains: Aggregated, cleaned sensor data
- Who should see: All teams (operational data)


Table: turbine_training_dataset**Your Task:** List sensitive columns in your tables.

- Contains: ML features, may include sensitive patterns

- Who should see: Data scientists only```

- Who should see: All teams (different views)

Table: turbine, historical_turbine_status- Contains: Turbine metadata and status

### üìù Your Sensitive Data Audit

Document what needs protection:

```
Table: _______________________
Column: _______________________
  Sensitivity: [Confidential / Internal / Public]
  Accessible by: [Which teams?]
  Masking strategy: [Redact / Hash / Aggregate / Filter]

[Repeat for all sensitive columns]
```

### Step 2: Implement Data Masking

Unity Catalog supports **column masking** using SQL functions.

**Strategy:** Create masked views for teams that shouldn't see raw data.

In [0]:
%sql
-- Create a masked view for Field Technicians
-- Hide cost information from them

CREATE OR REPLACE VIEW default.sensor_hourly_field_view AS
SELECT
  turbine_id,
  window,
  avg_power,
  avg_vibration,
  avg_temperature,
  -- Mask any cost-related fields
  '***REDACTED***' as cost_per_hour  -- If this column exists
FROM default.sensor_hourly;

In [0]:
%sql
-- Now grant field techs access to MASKED VIEW instead of raw table
REVOKE SELECT ON TABLE default.sensor_hourly FROM `field_technicians`;
GRANT SELECT ON VIEW default.sensor_hourly_field_view TO `field_technicians`;

### Step 3: Implement Row-Level Security

**Scenario:** Different field technicians work in different regions. They should only see turbines in THEIR region.

**Implementation:** Create views with row filters based on user attributes.

In [0]:
%sql
-- First, create a user-region mapping table
CREATE OR REPLACE TABLE default.user_regions (
  username STRING,
  allowed_region STRING
);

-- Insert sample data
INSERT INTO default.user_regions VALUES
  ('tech_chicago@company.com', 'Chicago'),
  ('tech_miami@company.com', 'Miami'),
  ('tech_nyc@company.com', 'New York');

In [0]:
%sql
-- Create row-filtered view based on current user
CREATE OR REPLACE VIEW default.sensor_hourly_my_region AS
SELECT s.*
FROM default.sensor_hourly s
-- Join with turbine location info (assuming location column exists)
-- INNER JOIN default.turbine t ON s.turbine_id = t.turbine_id
WHERE 
  -- Filter based on current user's region
  -- t.location IN (
  --   SELECT allowed_region 
  --   FROM default.user_regions 
  --   WHERE username = current_user()
  -- )
  
  -- Simplified version if location is in sensor_hourly:
  1=1  -- Replace with actual row filter logic
;

### Step 4: Column-Level Security

**Advanced:** Different users see different columns in the same table.

**Example:** Data scientists see all columns, field techs see subset.

In [0]:
%sql
-- Create role-specific views with different column sets

-- View for Field Technicians (limited columns from turbine)
CREATE OR REPLACE VIEW default.turbine_field_view AS
SELECT
  turbine_id,
  model,
  location,
  lat,
  long
  -- Exclude any internal/sensitive fields if they exist
FROM default.turbine;

-- View for Data Scientists (all columns including ML features)
CREATE OR REPLACE VIEW default.turbine_analytics_view AS
SELECT
  t.*,
  tf.avg_energy,

  tf.std_energy,LEFT JOIN default.turbine_current_features tf ON t.turbine_id = tf.turbine_id;

  tf.trend_energyFROM default.turbine t

In [0]:
%sql
-- Grant appropriate views to each group
GRANT SELECT ON VIEW default.turbine_field_view TO `field_technicians`;
GRANT SELECT ON VIEW default.turbine_analytics_view TO `data_scientists`;

### Step 5: Handle Edge Cases

**üö® Problem:** Sarah is BOTH a Field Technician AND a Data Scientist.

**Question:** What permissions does she get?
- Most permissive (Data Scientist level)? ‚úì Unity Catalog default
- Most restrictive (Field Technician level)? ‚úó Not default
- Custom combination? (Advanced)

**Your Task:** Document how you would handle this.

### üìù Your Edge Case Strategy

**Scenario Analysis:**

**Case 1: User in Multiple Groups**
```
User: sarah@company.com
Groups: field_technicians, data_scientists
Expected behavior: [Most permissive / Most restrictive / Custom]
Your implementation: [How will you configure this?]
```

**Case 2: Temporary Access**
```
A contractor needs 1-week access to specific turbine data.
Your solution: [How do you grant time-limited access?]
```

**Case 3: Emergency Override**
```
During an outage, operations team needs immediate access to ALL data.
Your solution: [Break-glass procedure?]
```

## üìä Success Criteria

‚úÖ Implemented data masking for sensitive columns  
‚úÖ Created row-level security filters  
‚úÖ Set up column-level access control  
‚úÖ Documented edge case handling strategy  
‚úÖ Validated security with test queries  

**Level 2 Complete!** üéâ You're now a security architect!

---

# ü•á LEVEL 3: Real-World Application & Best Practices

**Difficulty:** Advanced | **Time:** 45 minutes

> üí° **Free Edition Note:** This level focuses on **documentation and manual processes** since automated enterprise features (system audit logs, alerting) require Unity Catalog Pro/Enterprise.

## üìö What You'll Learn

- Document governance decisions for your team
- Create manual permission backup/restore procedures
- Understand data lineage and impact analysis
- Design access review workflows
- Apply governance principles to real scenarios

## üéØ Your Mission

You've implemented technical controls in Level 1 & 2. Now make your governance framework **maintainable, auditable, and team-ready**.

1. Automated compliance reporting
2. Data lineage tracking
3. Regular access reviews
4. Incident response procedures

**Goal:** Build a production-ready governance system that scales.

## üìù Implementation Guide

### Component 1: Governance Documentation

**Create a governance playbook that includes:**


### üìã Your Governance Playbook

Complete this template:

---

## **WIND TURBINE DATA GOVERNANCE PLAYBOOK**

### 1. Access Control Matrix

| Role | Schema Access | Table Access | Permission Level | Approval Required |
|------|---------------|--------------|------------------|-------------------|
| Field Technician | turbine_operations | sensor_hourly, turbine_status | SELECT | Manager approval |
| Data Scientist | turbine_analytics | ALL | SELECT, MODIFY | Lead DS approval |
| Executive | turbine_executive | KPI views only | SELECT | CTO approval |
| Admin | ALL | ALL | ALL | Security team |

### 2. Data Classification

| Classification | Examples | Who Can Access | Encryption | Audit Level |
|----------------|----------|----------------|------------|-------------|
| Public | Fleet size, location names | All employees | No | Basic |
| Internal | Sensor readings | Tech + DS + Execs | TLS | Standard |
| Confidential | Cost data, failure predictions | Execs + DS only | TLS + at-rest | Enhanced |
| Restricted | Strategic plans | Execs only | Full encryption | Complete |

### 3. Incident Response Procedures

**Scenario: Unauthorized Access Detected**
1. Step 1: [Immediately revoke access]
2. Step 2: [Check audit logs]
3. Step 3: [Notify security team]
4. Step 4: [Review similar permissions]

**Scenario: Data Leak**
1. Step 1: [___]
2. Step 2: [___]
3. Step 3: [___]

### 4. Access Review Schedule

- **Monthly:** Review new user additions
- **Quarterly:** Audit all field technician access
- **Annually:** Complete access recertification
- **Ad-hoc:** After employee role changes

### 5. Compliance Checklist

- [ ] GDPR: Personal data minimized
- [ ] SOC 2: Access controls documented
- [ ] ISO 27001: Periodic access reviews
- [ ] Internal: Cost data protected
- [ ] Internal: Audit trail enabled

---

### Component 2: Manual Permission Tracking

**Task:** Create a manual tracking system for permissions (since system tables aren't available in Free Edition).

In [0]:
%sql
-- Create a manual permission tracking table in default schema

CREATE TABLE IF NOT EXISTS default.permission_tracking (
  grant_date TIMESTAMP,
  grantee STRING,
  object_type STRING,  -- 'SCHEMA', 'TABLE', 'VIEW'
  object_name STRING,
  privilege STRING,  -- 'SELECT', 'MODIFY', 'ALL'
  granted_by STRING,
  justification STRING,
  review_date TIMESTAMP
);

-- Example: Log a permission grant manually
INSERT INTO default.permission_tracking VALUES (
  current_timestamp(),
  'field_technicians',
  'TABLE',

  'default.sensor_hourly',);

  'SELECT',  current_timestamp() + INTERVAL 90 DAYS

  current_user(),  'Operational data access for field teams',

In [0]:
%sql
-- Query your permission tracking table

SELECT 
  grantee,
  object_name,
  privilege,
  grant_date,
  review_date,
  DATEDIFF(review_date, current_timestamp()) as days_until_review
FROM default.permission_tracking
WHERE review_date < current_timestamp() + INTERVAL 30 DAYS
ORDER BY review_date;

-- This helps you identify permissions that need review soon

### Component 3: Data Lineage Documentation

**Purpose:** Understand data flow and impact of changes.

**Task:** Manually document your data lineage (Unity Catalog Free Edition has basic lineage in UI).

### üìä Your Data Lineage Map

Document your actual data flows:

```
SOURCE ‚Üí TRANSFORMATION ‚Üí DESTINATION ‚Üí CONSUMERS
=================================================

Flow 1: Sensor Data Pipeline
sensor_bronze (raw IoT stream)
  ‚Üí sensor_hourly (hourly aggregation via MATERIALIZED VIEW)
  ‚Üí executive_kpi_dashboard (aggregated view)
  ‚Üí Used by: Executives team
  
Impact Analysis:
- If sensor_bronze schema changes ‚Üí sensor_hourly breaks
- If sensor_hourly changes ‚Üí executive dashboard breaks
- Affected teams: Field Techs, Data Scientists, Executives

Flow 2: ML Training Pipeline
sensor_bronze ‚Üí turbine_training_dataset ‚Üí ML Model Training
  ‚Üí Used by: Data Scientists team
  
Impact Analysis:
- Schema changes affect model training
- Need to retrain models if features change

Flow 3: Operational Data

turbine (metadata) + parts (maintenance) ‚Üí Field Tech dashboards- Update after each schema/pipeline change

  ‚Üí Used by: Field Technicians team- Document dependencies in this notebook or a shared document

- Check Unity Catalog UI ‚Üí Data Explorer ‚Üí Select table ‚Üí "Lineage" tab

[YOUR TASK: Document your actual lineage here]**Manual Lineage Tracking:**

```

### Component 4: Manual Access Reviews

**Task:** Create queries to support quarterly access reviews (using SHOW GRANTS since system tables aren't available).

In [0]:
%sql
-- Query 1: Check all grants on sensitive tables manually

-- Check sensor_bronze (should be data scientists only)
SHOW GRANTS ON TABLE default.sensor_bronze;

-- Check parts table
SHOW GRANTS ON TABLE default.parts;

-- Check training dataset
SHOW GRANTS ON TABLE default.turbine_training_dataset;

-- YOUR TASK: Document results in permission_tracking table

In [0]:
%sql
-- Query 2: Review all schema-level grants

SHOW GRANTS ON SCHEMA default;

-- Review table-level grants for key tables
SHOW GRANTS ON TABLE default.sensor_hourly;
SHOW GRANTS ON TABLE default.turbine;

-- YOUR TASK: Run these quarterly and document in permission_tracking

### üìã Access Review Checklist

Create a quarterly review process:

**Every Quarter:**
1. Run `SHOW GRANTS` on all sensitive tables
2. Review permission_tracking table for upcoming review dates
3. Verify each group still needs their current access
4. Document review in permission_tracking:
   ```sql
   UPDATE default.permission_tracking
   SET review_date = current_timestamp() + INTERVAL 90 DAYS
   WHERE grantee = 'team_name' AND object_name = 'table_name';
   ```
5. Revoke unnecessary permissions
6. Share review results with management

**Red Flags to Check:**
- Users with access to tables they don't use
- Broad schema-level grants when table-level would suffice
- Groups with MODIFY rights that only need SELECT

### Component 5: Permission Backup & Recovery

**Scenario:** You accidentally revoke critical permissions! How do you recover?

**Task:** Create a manual backup procedure.

In [0]:
%sql
-- Manual backup strategy (Free Edition compatible)

-- Step 1: Export all current grants to a table
CREATE TABLE IF NOT EXISTS default.grants_backup (
  backup_date TIMESTAMP,
  object_type STRING,
  object_name STRING,
  grant_statement STRING
);

-- Step 2: Manually record key grants
INSERT INTO default.grants_backup VALUES
  (current_timestamp(), 'TABLE', 'default.sensor_hourly', 'GRANT SELECT ON TABLE default.sensor_hourly TO `field_technicians`;'),

  (current_timestamp(), 'TABLE', 'default.turbine', 'GRANT SELECT ON TABLE default.turbine TO `field_technicians`;'),-- YOUR TASK: Add all your GRANT statements here

  (current_timestamp(), 'SCHEMA', 'default', 'GRANT SELECT ON SCHEMA default TO `data_scientists`;');

In [0]:
%sql
-- Restore procedure: Query and execute

SELECT grant_statement
FROM default.grants_backup
WHERE backup_date = (SELECT MAX(backup_date) FROM default.grants_backup)
ORDER BY object_name;

-- Copy the output and execute each GRANT statement manually
-- This restores your permissions to the last backup state

### Component 6: Manual Compliance Reporting

**Task:** Create a manual compliance checklist (since automated reporting needs system tables).

### üìä Quarterly Compliance Report Template

**Report Date:** _______
**Reviewed By:** _______

#### 1. Access Control Coverage
- [ ] All sensitive tables have explicit grants (sensor_bronze, parts, turbine_training_dataset)
- [ ] No overly broad schema-level grants
- [ ] Field technicians: SELECT only on operational tables
- [ ] Data scientists: SELECT on all data, MODIFY on analytics tables only
- [ ] Executives: SELECT only on aggregated views

#### 2. Permission Inventory
Run these queries and document results:
```sql
SHOW GRANTS ON SCHEMA default;
SHOW GRANTS ON TABLE default.sensor_bronze;
SHOW GRANTS ON TABLE default.sensor_hourly;
SHOW GRANTS ON TABLE default.turbine;
```

**Total Groups with Access:** _____
**Total Tables Protected:** _____

#### 3. Data Masking Verification
- [ ] Executive views show aggregated data only (no raw sensor values)
- [ ] Field tech views exclude sensitive columns
- [ ] Test queries validated

#### 4. Violations Found
List any issues:
1. _______
2. _______

#### 5. Remediation Actions
1. _______
2. _______

### Component 7: Incident Response Playbook

**Task:** Set up alerts for security violations.

**Pseudo-code for alert system:**

```python
# Alert Rule 1: Unusual access patterns
if user_access_count > 1000 in last_hour:
    send_alert(f"User {username} accessed {table} {count} times")

# Alert Rule 2: Sensitive table access by unauthorized user
if accessed_table == 'turbine_cost_analysis' and user not in 'executives':
    send_critical_alert(f"Unauthorized access attempt by {username}")

# Alert Rule 3: Permission changes
if action in ['GRANT', 'REVOKE']:
    send_notification(f"Permission change: {action} {table} to {user}")
```

In Databricks, implement with:
- **Databricks SQL Alerts** on audit log queries
- **Webhooks** to Slack/Email/PagerDuty
- **Jobs** that run hourly/daily checks

## ‚úÖ Validation Steps

### Governance Framework Checklist

1. **Documentation Complete**
   - [ ] Access control matrix filled out
   - [ ] Data classification defined
   - [ ] Incident response procedures documented
   - [ ] Compliance checklist created

2. **Technical Implementation**
   - [ ] Permission tracking table created
   - [ ] Data lineage documented
   - [ ] Manual access review queries working
   - [ ] Grant backup system in place
   - [ ] Quarterly compliance template ready

3. **Operational Readiness**
   - [ ] Team trained on playbook
   - [ ] Quarterly review schedule set
   - [ ] Incident response procedures documented
   - [ ] Permission backup tested

### Test Your System

```sql
-- Test 1: Check permission tracking
SELECT * FROM default.permission_tracking 
ORDER BY grant_date DESC LIMIT 10;

-- Test 2: Verify grants on sensitive tables
SHOW GRANTS ON TABLE default.sensor_bronze;
SHOW GRANTS ON TABLE default.parts;

-- Test 3: Test restore from backup
SELECT grant_statement FROM default.grants_backup
WHERE backup_date = (SELECT MAX(backup_date) FROM default.grants_backup);
-- Copy and test one GRANT statement

-- Test 4: Check upcoming reviews
SELECT * FROM default.permission_tracking
WHERE review_date < current_timestamp() + INTERVAL 30 DAYS;
```

## üìä Success Criteria

‚úÖ Complete governance playbook documented  
‚úÖ Manual permission tracking operational  
‚úÖ Data lineage mapped and documented  
‚úÖ Manual access review process created  
‚úÖ Grant backup and restore system working  
‚úÖ Compliance reporting template created  
‚úÖ Incident response procedures defined  

**Level 3 Complete!** üèÜ You've created a maintainable governance framework!

> üí° **Free Edition Reality Check:** This level used manual processes suitable for Free Edition. In Pro/Enterprise, many of these would be automated via system tables, audit logs, and alerting.

---

# üéì Final Reflection & Next Steps

## üéâ Congratulations!

You've built a **production-ready data governance framework** from scratch! 

### What You've Mastered

**Technical Skills:**
- ‚úÖ Unity Catalog permission model (GRANT/REVOKE)
- ‚úÖ Data masking and column-level security
- ‚úÖ Row-level security with filtered views
- ‚úÖ Audit logging and compliance reporting
- ‚úÖ Data lineage analysis
- ‚úÖ Disaster recovery procedures

**Governance Principles:**
- ‚úÖ Principle of Least Privilege
- ‚úÖ Defense in Depth (multiple security layers)
- ‚úÖ Auditability and Transparency
- ‚úÖ Separation of Duties
- ‚úÖ Regular Access Reviews

---

## üöÄ Real-World Application

### How This Works in Production

**Scenario: New Employee Onboarding**
```
1. HR creates user account
2. Manager requests access via ticket
3. Governance team reviews playbook
4. Execute GRANT statements
5. User added to audit log
6. Confirmation email sent
```

**Scenario: Security Incident**
```
1. Alert triggered: Unusual access pattern
2. Security team reviews audit logs
3. Identify affected tables via lineage
4. REVOKE access immediately
5. Restore from grants backup if needed
6. Root cause analysis
```

**Scenario: Compliance Audit**
```
1. Auditor requests access reports
2. Run compliance dashboard queries
3. Export results to PDF
4. Demonstrate access controls
5. Show audit trail
6. Pass audit ‚úì
```

---

## üí° Advanced Topics (For Later)

Once you've mastered the basics, explore:

### 1. **Attribute-Based Access Control (ABAC)**
Instead of role-based, use user attributes:
```sql
-- Grant access based on user location, department, clearance level
CREATE VIEW filtered_view AS
SELECT * FROM sensor_data
WHERE location = get_user_attribute('location')
  AND clearance_level >= get_user_attribute('clearance');
```

### 2. **Dynamic Data Masking**
Mask data based on context:
```sql
-- Show full data in production, masked in dev
CASE 
  WHEN current_database() = 'prod' THEN actual_value
  ELSE mask(actual_value)
END
```

### 3. **Time-Based Access**
Temporary permissions that auto-expire:
```sql
-- Grant access for 24 hours only
-- (Requires external automation)
```

### 4. **Cross-Catalog Governance**
Manage permissions across multiple catalogs:
```sql
GRANT SELECT ON * TO `analysts`;
GRANT SELECT ON dev.* TO `data_engineers`;
```

---

## üéØ Next Steps in Your Journey

### Immediate Actions
1. **Apply to Your Data:** Use this framework on your actual datasets
2. **Share with Team:** Present your governance model to stakeholders
3. **Get Feedback:** What security concerns do they have?

### Continue Learning
- **Module 03 - BI Dashboards:** Create compliance dashboards
- **Module 04 - ML:** Governance for ML models and features
- **Module 05 - GenAI:** Security for AI agents accessing data

### Certification Prep
This challenge prepares you for:
- **Databricks Data Engineer Associate**
- **Databricks Data Analyst Associate**
- **Security/Compliance certifications**

---

## üìö Resources

### Documentation
- [Unity Catalog Best Practices](https://docs.databricks.com/data-governance/unity-catalog/best-practices.html)
- [Data Governance Guide](https://docs.databricks.com/data-governance/index.html)
- [Audit Logs](https://docs.databricks.com/administration-guide/account-settings/audit-logs.html)

### Community
- Databricks Community Forums (Data Governance section)
- Unity Catalog GitHub discussions
- LinkedIn #DataGovernance

---

## üèÜ Challenge Badge Unlocked!

**üîê Data Governance Master**

You've completed:
- ‚úÖ Level 1: Access Control Designer
- ‚úÖ Level 2: Security Architect  
- ‚úÖ Level 3: Governance Master

**Share your achievement:**
> "Just completed a comprehensive data governance challenge covering Unity Catalog, data masking, audit logging, and compliance reporting! #DataGovernance #Databricks #UnityCatalog"

---

**Thank you for your dedication to secure, compliant data engineering!** üéâ

*Remember: Good governance isn't about blocking access - it's about enabling safe, responsible data use.*