GovernOverview

Govern

Govern in SignalSmith provides the controls you need to manage who can access what data, where data can flow, and how your organization enforces compliance policies. It covers role-based access control, data flow restrictions, row-level data filtering, and multi-workspace management.

What Is Govern?

As your CDP usage grows — more team members, more destinations, more sensitive data — you need controls that go beyond simple authentication. SignalSmith’s Govern features let you:

  • Control access — Define who can see and modify which resources using roles and permissions
  • Mask sensitive data — Set column-level sensitivity labels that control PII visibility in previews, suggestions, and syncs
  • Restrict data flow — Set rules that prevent sensitive data from reaching unauthorized destinations
  • Filter data visibility — Create access filters that automatically apply row-level filters based on user group membership
  • Manage at scale — Organize multiple workspaces under a single organization with centralized member management

Govern Features

Role-Based Access Control (RBAC)

SignalSmith provides a fine-grained permission system with three built-in roles and 42 permissions across 14 resource categories. Permissions are additive — a member’s effective permissions are the union of their role’s permissions.

  • Owner — Full access to everything, including workspace management and billing
  • Admin — Full access to all resources except workspace deletion and ownership transfer
  • Member — Basic read and write access to operational resources (sources, models, syncs)

Learn more:

  • RBAC Overview — How the permission model works
  • Roles — Built-in role definitions and comparison
  • Permissions — Complete permission reference (42 permissions, 14 categories)
  • Groups — Organize members for easier management
  • Managing Members — Invite, modify, and remove members

PII Masking

PII masking provides column-level sensitivity controls that determine how personal data is exposed across the platform. Mark columns as redacted (masked in UI, syncable), sync-only (hidden in UI, syncable), or blocked (hidden everywhere, not syncable). Includes automatic PII detection by column name patterns and SHA256 hash-on-sync for ad platform audience matching.

See PII Masking for configuration details.

Destination Filters

Destination filters control which data can sync to which destinations and under what conditions. Use them to:

  • Block specific data from reaching certain destinations (e.g., prevent PII from syncing to advertising platforms)
  • Transform data before it leaves the warehouse (e.g., hash email addresses before syncing to ad platforms)
  • Rate limit sync frequency to specific destinations (e.g., limit syncs to a partner API to once per day)

See Destination Filters for configuration details.

Access Filters

Access Filters provide row-level access control. Define SQL filter conditions that automatically apply to all queries when a user belonging to a specific group accesses data. Use access filters to:

  • Restrict regional teams to their own data (e.g., “EMEA only” access filter)
  • Limit partner access to specific customer segments
  • Enforce data sovereignty requirements

See Access Filters for examples and configuration.

Organizations

Organizations let you manage multiple SignalSmith workspaces under a single umbrella. Centralize member management, apply consistent governance policies, and maintain visibility across all workspaces from a single admin view.

See Organizations for setup instructions.

How Govern Fits into the Platform

┌─────────────────────────────────────────────────────────────┐
│                       Organization                          │
│                                                             │
│  ┌─────────────────┐     ┌─────────────────┐               │
│  │   Workspace A   │     │   Workspace B   │               │
│  │                 │     │                 │               │
│  │  ┌───────────┐  │     │  ┌───────────┐  │               │
│  │  │   RBAC    │  │     │  │   RBAC    │  │               │
│  │  │  Roles &  │  │     │  │  Roles &  │  │               │
│  │  │  Groups   │  │     │  │  Groups   │  │               │
│  │  └───────────┘  │     │  └───────────┘  │               │
│  │  ┌───────────┐  │     │  ┌───────────┐  │               │
│  │  │  Access   │  │     │  │  Access   │  │               │
│  │  └───────────┘  │     │  └───────────┘  │               │
│  │  ┌───────────┐  │     │  ┌───────────┐  │               │
│  │  │Dest Filters │  │     │  │Dest Filters │  │               │
│  │  └───────────┘  │     │  └───────────┘  │               │
│  └─────────────────┘     └─────────────────┘               │
└─────────────────────────────────────────────────────────────┘

Govern features are workspace-scoped:

  • RBAC (roles, permissions, groups) applies within a workspace
  • Destination filters are defined per workspace
  • Access Filters are defined per workspace and assigned to groups
  • Organizations provide a cross-workspace management layer

API Reference

Govern resources are managed through the SignalSmith REST API:

# Destination Filters
GET    /api/v1/destination-rules
POST   /api/v1/destination-rules
PUT    /api/v1/destination-rules/{id}
DELETE /api/v1/destination-rules/{id}
 
# Access Filters
GET    /api/v1/subsets
POST   /api/v1/subsets
PUT    /api/v1/subsets/{id}
DELETE /api/v1/subsets/{id}
 
# Groups
GET    /api/v1/groups
POST   /api/v1/groups
PUT    /api/v1/groups/{id}
DELETE /api/v1/groups/{id}
 
# Members
GET    /api/v1/members
POST   /api/v1/members/invite
PUT    /api/v1/members/{id}
DELETE /api/v1/members/{id}
 
# Organizations
GET    /api/v1/organizations
POST   /api/v1/organizations
PUT    /api/v1/organizations/{id}

See the API Reference for full request/response schemas.

Best Practices

  • Start with least privilege — Assign the Member role by default and escalate to Admin or Owner only when needed.
  • Use groups for team management — Instead of managing permissions per user, create groups that map to your team structure and assign access filters and roles at the group level.
  • Layer destination filters early — Set up destination filters before connecting sensitive destinations. It’s easier to relax restrictions later than to discover sensitive data was already synced.
  • Document your governance model — Keep a record of which groups exist, what access filters they have, and why. This helps with compliance audits and onboarding new team members.
  • Review access regularly — Periodically audit member lists, role assignments, and destination filters to ensure they still reflect your organization’s needs.

Next Steps

Audience OverlapPII Masking