To improve data security and privacy, Datafold supports running workflows like data diffs through OAuth. This ensures queries are executed using the user’s own database credentials, fully complying with granular access controls like data masking and object-level permissions. The diagram below illustrates how the authentication flow proceeds:
  1. Users authenticate using the configured OAuth provider.
  2. Users can then create diffs between data sets that their user can access using OAuth database permissions.
  3. During Continuous Integration (CI), Datafold executes diffs using a Service Account with the least privileges, thus masking sensitive/PII data.
  4. If a user needs to see sensitive/PII data from a CI diff, and they have permission via OAuth to do so, they can rerun the diff, and then Datafold will authenticate the user using OAuth database permissions. Then, the user will have access to the data based on these permissions.
This structure ensures that diffs are executed with the user’s database credentials with their configured roles and permissions. Data access permissions are thus fully managed by the database, and Datafold only passes through queries.