> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ryft.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Access Management

Ryft provides a single control plane for managing permissions across all query engines that read and write your Iceberg tables - Trino, Snowflake, Athena, and others.

Rather than configuring grants separately in each engine, you define access policies once in Ryft - in terms of IdP groups, not individual users. Ryft continuously reconciles these policies with every connected engine, keeping access controls consistent as your data and teams evolve.

## Policy Scope

* **Catalog** - applies to all tables (including future ones) within that catalog
* **Namespace** - applies to all tables (including future ones) within that namespace and expands catalog-level policies
* **Table** - applies to a specific table and expands namespace-level policies

## Security Considerations

All grant and policy changes are applied exclusively through the Ryft data plane. The control plane only reads the current state to detect drift - it never writes to any engine directly.

<Note>
  Access management is currently additive-only - it applies grants defined in its policies but does not revoke grants that were set outside of Ryft. Engine-native permissions configured independently remain in place.
</Note>