/* global React, Hero, SectionLabel, AntiPatterns, BestPractices, Takeaway, Panel, MMNames */ const { useState, useEffect, useRef } = React; /* ============================================================ * Ch8 · Govern — Permission Gate * Mock IDE editing dbt for dim_users. * Drag actor chips onto column rows. Ship → deploy animation. * If PII columns lack PII_Person → Access Gateway blocks. * Toggle: Policy Zone gate. * ============================================================ */ const COLUMNS = [ { id: 'user_id', type: 'STRING', pii: false, required: null, note: 'non-PII internal id' }, { id: 'employee_email', type: 'STRING', pii: true, required: 'canonicalEmployee', note: 'identifies a human' }, { id: 'account_id', type: 'STRING', pii: true, required: 'canonicalEmployee', note: 'device ↔ user linkage' }, { id: 'event_type', type: 'INT', pii: false, required: null, note: 'CVSS bucket, 0–4' }, { id: 'manager_unixname', type: 'STRING', pii: true, required: 'canonicalEmployee', note: 'identifies a human' }, ]; const CHIPS = [ { id: 'canonicalEmployee', labelKey: 'canonicalEmployee', swatch: '#7C5CFF' }, { id: 'canonicalApp', labelKey: 'canonicalApp', swatch: '#2D7DFF' }, { id: 'canonicalCW', labelKey: 'canonicalCW', swatch: '#22D3EE' }, { id: 'none', labelKey: 'none', swatch: '#B9C0CA', label: 'none' }, ]; function PermissionGateSim({ internalMode, reduceMotion }) { const N = MMNames(internalMode); const [assignments, setAssignments] = useState({}); // colId → chipId const [dragging, setDragging] = useState(null); // "required" = the catalog/infra requires PII Policy Zone (preset in scenario) // "zone" = the user has added the data_classification directive to dbt const [zoneRequired, setZoneRequired] = useState(false); const [zone, setZone] = useState(false); const [shipState, setShipState] = useState('idle'); // idle | deploying | blocked | shipped const [console_, setConsole_] = useState([]); const [confetti, setConfetti] = useState(0); const assignTo = (colId) => { if (!dragging) return; setAssignments(a => ({...a, [colId]: dragging})); setDragging(null); }; const clearCol = (colId) => { setAssignments(a => { const n = {...a}; delete n[colId]; return n; }); }; const ship = () => { setShipState('deploying'); setConsole_(['[access-gateway] starting deploy of dim_users.spec…']); const violations = []; COLUMNS.forEach(c => { if (c.required) { const got = assignments[c.id]; if (!got || got === 'none' || got !== c.required) { violations.push({ col: c.id, needed: N[c.required] }); } } }); let delay = reduceMotion ? 0 : 500; const push = (line, ms) => setTimeout(() => setConsole_(l => [...l, line]), (delay += (ms || 250))); push('[access-gateway] reading column actor annotations…', 300); push(`[access-gateway] ${COLUMNS.length} columns · ${COLUMNS.filter(c=>c.required).length} require actor annotations`, 250); if (violations.length > 0) { violations.forEach(v => { push(`[access-gateway] ✕ BLOCKED · column "${v.col}" missing required actor <${v.needed}>`, 200); }); push('[access-gateway] deploy aborted. Patch dbt and re-ship.', 400); setTimeout(() => setShipState('blocked'), delay + 200); } else if (zoneRequired && !zone) { push(`[access-gateway] ✕ BLOCKED · catalog flags dataset as PII-regional · data_classification "pii_secure" required`, 250); push('[access-gateway] deploy aborted. Add to dbt header.', 400); setTimeout(() => setShipState('blocked'), delay + 200); } else { push('[access-gateway] ✓ actor annotations complete', 200); if (zone) push('[access-gateway] ✓ data_classification resolved · pii_secure', 150); push(`[access-gateway] ✓ ACL <${N.dataProjectAcl}: corp_assets> bound`, 150); push('[access-gateway] ✓ deployed to prod · v237 → v238', 250); setTimeout(() => { setShipState('shipped'); setConfetti(c => c + 1); }, delay + 200); } }; const reset = () => { setAssignments({}); setShipState('idle'); setConsole_([]); }; const autofix = () => { const next = {...assignments}; COLUMNS.forEach(c => { if (c.required) next[c.id] = c.required; }); setAssignments(next); setShipState('idle'); setConsole_([]); }; const chipLabel = (id) => { if (id === 'none') return 'none'; return N[id] || id; }; return (
{/* actor chip rail */}
Drag an actor
{CHIPS.map(c => (
setDragging(c.id)} onDragEnd={() => setDragging(null)} onClick={() => setDragging(d => d === c.id ? null : c.id)} style={{'--sw': c.swatch}}> {chipLabel(c.id)}
))}
Click a chip, then click a column, or drag.
{/* IDE editor */}
dim_users.spec.yaml · 5 columns
1dataset: dim_users
2owner: analytics_oncall
3dataset_acl: corp_assets
{zone &&
4data_classification: pii_secure
}
{zone ? 5 : 4}columns:
{COLUMNS.map((c, i) => { const assigned = assignments[c.id]; const ok = !c.required || assigned === c.required; const bad = c.required && (!assigned || assigned === 'none' || assigned !== c.required); return (
e.preventDefault()} onDrop={() => assignTo(c.id)} onClick={() => dragging && assignTo(c.id)}> {(zone ? 6 : 5) + i} - {c.id} : {c.type} {c.pii && PII} {assigned ? ( { e.stopPropagation(); clearCol(c.id); }}> actors: [{chipLabel(assigned)}] × ) : c.required ? ( needs {N[c.required]} ) : ( actor optional )}
); })}
{/* Access Gateway console */}
{N.access_gateway} · deploy log {shipState === 'idle' && 'ready'} {shipState === 'deploying' && '● deploying'} {shipState === 'blocked' && '✕ blocked'} {shipState === 'shipped' && '✓ shipped'}
{console_.length === 0 ?
[access-gateway] waiting for ship…
: console_.map((l, i) => (
{l}
))}
{shipState === 'shipped' && ✓ confetti {confetti}× · dbt v238 is live} {shipState === 'blocked' && ✕ patch the dbt and re-ship}
); } function Ch8_Govern({ chapter, internalMode }) { const N = MMNames(internalMode); return ( <> deploy gate.`} hook={`Every column that names a human, device, or contractor must declare what kind of identity it carries. ${N.access_gateway} reads that declaration at deploy time and refuses to ship a ${N.datasetspec} that has unannotated PII. You don't argue with it; you annotate and re-ship. This is the layer that makes the entire warehouse legally safe to query.`} meta={[ { k: 'Deploy gate', v: N.access_gateway }, { k: 'ACL', v: N.dataProjectAcl }, { k: 'Actors', v: `${N.canonicalEmployee} · ${N.canonicalApp}` }, ]} />
Actor annotations

Every column declares what it identifies.

A column isn't just a type: it's also a subject. employee_email identifies a person. service_account_id identifies an application. contractor_id identifies a contingent worker. Three canonical actors cover >95% of cases:

{N.canonicalEmployee}
Identifies a regular employee
Emails, unixnames, manager chains, device serials that map 1:1 to a person. Most common PII in corp data.
{N.canonicalApp}
Identifies an application / service
Service account IDs, bot tokens, app UUIDs. Not human PII, but still sensitive: lives in a different ACL bucket.
{N.canonicalCW}
Identifies a contingent worker
Legally distinct retention and access rules from regular employees. Mislabelling is a compliance incident.
The deploy gate

{N.access_gateway} reads the dbt, not your pull request.

Reviewers can miss an unannotated PII column. The deploy gate can't. When you ship a dbt, {' '}{N.access_gateway} walks every column, checks the declared actor set against the inferred PII class, resolves the {N.dataProjectAcl}, and (optionally) verifies the Policy Zone binding. Any failure: no ship. Patch and re-ship.

Policy zones & opaque transforms

A Policy Zone restricts a column so it's only readable inside a specific compute environment: for example, a regionally-isolated cluster that's approved for PII. Opaque transforms (UDFs that take PII in and emit derived non-PII out) must run with network=NO_NETWORK so they can't exfiltrate. Together these cover the "processing PII without leaking PII" case.

dim_users.spec.yaml · the shipped annotationYAML
dataset: dim_users owner: analytics_oncall ${N.dataProjectAcl}: corp_assets data_classification: pii_secure columns: - name: employee_email actors: [${N.canonicalEmployee}] - name: account_id actors: [${N.canonicalEmployee}] - name: manager_unixname actors: [${N.canonicalEmployee}] - name: event_type # non-PII, no actor required transforms: - name: hash_account_id kind: opaque network: NO_NETWORK # can't exfiltrate PII` }} />
Shipping a dbt without actor annotations. The deploy fails. You'll be tempted to find a workaround. There is no workaround. Annotate the columns.`, `Opaque transforms without network=NO_NETWORK. A UDF that touches PII AND has network access is an exfil path. The audit team will find it.`, `Catch-all ACL groups. eng_everyone on a PII dataset is not governance. Scope the ${N.dataProjectAcl} to the project that needs it.`, `Mislabelling contingent-worker columns as employees. Retention windows differ. This is a compliance bug, not a bug.`, ]} /> Every PII column gets a ${N.canonicalEmployee} / ${N.canonicalApp} / ${N.canonicalCW} actor. No exceptions, no "we'll add it later."`, "Opaque transforms on PII are network-isolated by default. If you need the network, re-architect so PII never touches that transform.", "ACLs scoped per-project, never per-team. Teams reorg; projects don't. A per-project ACL survives reorgs and reads cleanly.", `Policy Zones for region-restricted data. EU-only data gets a EU-only zone; the column literally can't be read outside that compute environment.`, ]} /> Privacy isn't an audit step. It's the deploy gate. ${N.access_gateway} refuses before the warehouse ever sees the column.`, `Three actors cover >95% of PII. ${N.canonicalEmployee}, ${N.canonicalApp}, ${N.canonicalCW}. Know which applies; annotate.`, "The dbt is the legal document. Version it like code. Review it like a contract.", ]} /> ); } window.Ch8_Govern = Ch8_Govern;