Control Plane

Orchestrate Your Data Platform

Centralized management for clusters, security policies, resource allocation, and operational workflows. The mission control for your Delta Lake infrastructure.

Unified catalog & metadata
Policy-driven governance
Multi-tenant resource management
Control Plane Catalog schemas, tables Identity users, roles Policies RBAC, masking Credentials keys, secrets Management API REST / gRPC / GUI Auth Providers LDAP / OIDC SAML / OAuth2 Compute Workers Node 1 Node 2 Node 3 Node N Your Storage (Bring Your Own) S3 / ADLS Delta Tables Parquet Files Tenant: Acme Tenant: HealthCorp Tenant: FinServ

Unified Catalog

Single source of truth for all data assets

๐Ÿข

Catalog

Top-level namespace, typically representing a business unit or environment.

production, development, analytics
โ†“
๐Ÿ“

Schema

Logical grouping of related tables and views.

sales, inventory, customers, events
โ†“
๐Ÿ“Š

Table / View

Data objects with schema, partitioning, and properties.

orders, products, daily_summary
โ†“
๐Ÿ“

Column

Fields with types, constraints, and metadata.

order_id INT, created_at TIMESTAMP

Policy-Based Security

Centralized security policy management

Access Policies

Fine-grained permissions on catalog objects.

  • Table-level GRANT/REVOKE
  • Column-level permissions
  • Row-level security filters
  • Schema-level defaults
GRANT SELECT ON TABLE sales.orders TO ROLE analyst

Data Policies

Automatic data governance enforcement.

  • Column masking rules
  • PII detection and handling
  • Data classification tags
  • Retention policies
CREATE MASKING POLICY mask_ssn AS (ssn VARCHAR) RETURNS VARCHAR BODY = CASE WHEN CURRENT_ROLE() IN ('data_admin') THEN ssn ELSE '***-**-' || RIGHT(ssn, 4) END

Row-Level Security

Filter rows automatically based on user context.

  • Regional data isolation
  • Multi-tenant filtering
  • Role-based row access
  • Session context policies
CREATE ROW ACCESS POLICY regional_access AS (region VARCHAR) RETURNS BOOLEAN BODY = CASE WHEN CURRENT_ROLE() IN ('sales_national') THEN TRUE WHEN CURRENT_ROLE() = 'sales_north' AND region = 'North' THEN TRUE ELSE FALSE END

Storage Credentials

Secure access to cloud storage and external data.

  • AWS IAM role assumption
  • Azure managed identity
  • GCS service accounts
  • Credential rotation
CREATE STORAGE CREDENTIAL aws_prod TYPE AWS_IAM_ROLE OPTIONS (role_arn = 'arn:aws:iam::123456789012:role/DeltaForgeAccess')

Resource Management

Allocate and control compute resources

โšก

Compute Pools

Isolated compute environments with dedicated resources.

  • T-shirt sizing (S, M, L, XL)
  • Auto-scaling policies
  • Min/max node counts
  • Spot instance support
๐Ÿ“Š

Resource Monitors

Track and limit resource consumption.

  • Credit/cost budgets
  • Query time limits
  • Memory quotas
  • Concurrent query limits
๐ŸŽฏ

Workload Management

Prioritize and route queries intelligently.

  • Query classification
  • Priority queues
  • Admission control
  • Timeout policies
๐Ÿ“ˆ

Usage Analytics

Understand resource utilization patterns.

  • Query history
  • Resource attribution
  • Cost allocation
  • Optimization recommendations

Identity & Access Management

Enterprise-grade user and role management

Users

Individual identities with authentication credentials.

  • Local users with password auth
  • SAML/SSO integration
  • LDAP/Active Directory sync
  • Service accounts for automation
โ†’

Roles

Named collections of privileges.

  • Built-in roles (ADMIN, ANALYST, etc.)
  • Custom role creation
  • Role hierarchy with inheritance
  • Database roles vs account roles
โ†’

Privileges

Specific permissions on objects.

  • Object privileges (SELECT, INSERT, etc.)
  • Schema privileges (CREATE, USAGE)
  • Account privileges (CREATE DATABASE)
  • Future grants for new objects
Role-Based Access Control Example 
-- Create a role hierarchy
CREATE ROLE data_reader;
CREATE ROLE data_analyst;
CREATE ROLE data_engineer;

-- Grant privileges to roles
GRANT USAGE ON SCHEMA analytics TO ROLE data_reader;
GRANT SELECT ON ALL TABLES IN SCHEMA analytics TO ROLE data_reader;

GRANT ROLE data_reader TO ROLE data_analyst;
GRANT CREATE VIEW ON SCHEMA analytics TO ROLE data_analyst;

GRANT ROLE data_analyst TO ROLE data_engineer;
GRANT CREATE TABLE, INSERT, UPDATE ON SCHEMA analytics TO ROLE data_engineer;

-- Assign roles to users
GRANT ROLE data_analyst TO USER alice;
GRANT ROLE data_engineer TO USER bob;

-- Future grants for new tables
GRANT SELECT ON FUTURE TABLES IN SCHEMA analytics TO ROLE data_reader;

Credential Store

Secure management of external system credentials

Cloud Storage

  • AWS IAM Role / Access Keys
  • Azure Service Principal
  • GCP Service Account
  • S3-compatible endpoints

Databases

  • PostgreSQL credentials
  • MySQL credentials
  • Oracle credentials
  • SQL Server credentials

APIs & Services

  • REST API tokens
  • OAuth client credentials
  • Kafka SASL credentials
  • SMTP credentials

Security Features

  • Encryption at rest (AES-256)
  • Automatic rotation support
  • Secret versioning
  • Audit logging of access

Operational Automation

Schedule and manage maintenance tasks

๐Ÿ”„

Scheduled Tasks

Cron-style scheduling for recurring operations.

  • SQL task execution
  • Stored procedure calls
  • Dependency chains
  • Failure notifications
๐Ÿงน

Table Maintenance

Automated optimization and cleanup.

  • Scheduled OPTIMIZE
  • Periodic VACUUM
  • Statistics refresh
  • Retention enforcement
๐Ÿ“ฆ

Backup & Recovery

Data protection and disaster recovery.

  • Catalog backup
  • Point-in-time restore
  • Cross-region replication
  • DR failover
๐Ÿ“Š

Monitoring

Health checks and alerting.

  • System health metrics
  • Query performance alerts
  • Storage utilization
  • Error rate monitoring

Multi-Tenancy Architecture

Isolate workloads while sharing infrastructure

Account Level

Complete isolation with separate credentials, billing, and administration.

  • Dedicated account admins
  • Separate billing
  • Independent security policies
  • Cross-account data sharing

Database Level

Logical separation within an account with shared compute.

  • Database-level permissions
  • Shared compute pools
  • Database quotas
  • Schema-level isolation

Warehouse Level

Compute isolation with shared data access.

  • Dedicated compute resources
  • Workload isolation
  • Independent scaling
  • Resource attribution

Take control of your data platform

Enterprise management for the modern lakehouse.

Get Community License Read Documentation