Skip to main content
Ryft provides a single control plane for managing permissions across all query engines that read and write your Iceberg tables - Trino, Snowflake, Athena, and others. Rather than configuring grants separately in each engine, you define access policies once in Ryft - in terms of IdP groups, not individual users. Ryft continuously reconciles these policies with every connected engine, keeping access controls consistent as your data and teams evolve.

Policy Scope

  • Catalog - applies to all tables (including future ones) within that catalog
  • Namespace - applies to all tables (including future ones) within that namespace and expands catalog-level policies
  • Table - applies to a specific table and expands namespace-level policies

Security Considerations

All grant and policy changes are applied exclusively through the Ryft data plane. The control plane only reads the current state to detect drift - it never writes to any engine directly.
Access management is currently additive-only - it applies grants defined in its policies but does not revoke grants that were set outside of Ryft. Engine-native permissions configured independently remain in place.