Limiting Access to Data

You can limit what data individual users can see and query using data permissions and custom roles. Once set, users with custom roles will be able to perform the activities of users with the General:Read permission, but they only see data their permissions allow. This includes all parts of the Platform, including the Asset Inventory, SQL Console, and Reports.

This feature applies only to data synced to CloudQuery Platform. If you sync to an external database, you need to manage the data access yourself.

Data access controls overview

Data access controls consist of:

Data permissions: individual permissions granting access to a defined set of data in the CloudQuery Platform database.
Custom roles: containers for individual data permissions.

Data Permissions

Data permissions grant access to a subset of data synced to CloudQuery Platform. You define data permissions dynamically using SQL as a set of _cq_platform_id values each permission grants access to.

For example, a data permission defined as


SELECT _cq_platform_id
FROM cloud_assets
WHERE resource_type = 'aws_ec2_instances'

grants access to data about all EC2 instances, but nothing else.

Custom roles

Custom roles are a collection of one or more data permissions. They function as a special case of the GENERAL:READ role. Users with custom roles can perform all General:Read activities, but only see data granted by their assigned permissions. Assign roles in User Management, or automatically through an SSO identity provider. A user can have multiple custom roles assigned. However, for the roles to have an effect, the user must not have any of the built-in roles assigned.

data access role definition example

For a custom role to have any effect, the user must not have any built-in role assigned. Custom roles automatically inherit all permissions from the General:Read role.

Configuring Data Access from scratch

Planning

When planning data access restrictions, consider:

What is the primary criteria you want to distinguish by? Is it available on all assets? For example, if you decide to limit access by region, not all assets actually have a region available and you may need to include them in the data access permissions in another way.
What granularity do you require for the data access permissions? You can have 1-1 mapping of permissions to roles, or you can make them more granular and then use various combinations of permissions in custom roles.
Are you going to need to restrict access to some specific data? Data permissions are inclusive, meaning you cannot restrict access to specific assets with one permission once it is granted with another one for the same role.

Defining a data permission

Data permissions rely on the _cq_platform_id of assets, which are deterministic unique identifiers of all resources in the Platform database. The Permissions are defined as SQL queries returning the set of the identifiers in the _cq_platform_id column.

For most of the use cases, you should be able to rely on the cloud_assets view to define the permissions, but you can combine it with arbitrary tables available on the platform. For example, to create a Data Access Permission that grants access only to AWS EC2 Instances in the us-east-1 region, you can specify the permission either as


SELECT _cq_platform_id, region FROM aws_ec2_instances
WHERE region='us-east-1'


select _cq_platform_id from cloud_assets where region = 'us-east-1'
and resource_type='aws_ec2_instances'

To create a new data permission, navigate to Organization settings > Data permissions. Click Add data permission and fill in the name and description.

Data Access Permission details

Click Open SQL Console to start defining the SQL query for this permission. The SQL Console will open in its data permission definition mode (identified by the Add to data permission button in the top right).

Write the query and execute it. The Console will warn you if the resulting table does not use the _cq_platform_id column. You cannot name an arbitrary column _cq_platform_id, you need to use the column from the database.

You should see the results of the query in the bottom part of the screen. These are the assets the permission will grant the access to.

SQL Console with a data access permission definition

When ready, click Add to data permission and you’ll be taken back to the data permission screen. As confirmation, you will see the count of resources this permission grants access to. To change the query, click Edit Query.

Data Access Permission details

Confirm creation of the data permission by clicking Create data permission.

Next, assign the permission to a role.

Defining a custom role

To create a new custom role, navigate to Organization settings > Roles. Click Create Role and fill in the name and description.

Data Access Role details

Click Add data permission and select the permission to add to this role from the panel. You can select and add multiple permissions at the same time.

Click Add selected data permissions and then finish creation of the role with Create.

Next, you need to assign the role to a user. If your users log in using Single sign-on, you will need to Map Groups to User Roles . Otherwise, see Changing Non-SSO User’s Workspace Role.

Next Steps

Workspace Roles Overview - Understand available roles
Resource Ownership - Control who owns integrations and syncs
Policies - Combine data access controls with compliance policies

Was this page helpful?

Last updated on April 7, 2026