Business-Driven Approach to Sigma Access Control

For data-driven organizations, properly managing user access to analytics platforms is essential to safeguard sensitive information and maintain governance standards. At our data platform services company, we implemented robust Sigma access control to ensure that only authorized users could access specific data folders and reports. Our goal was to create a scalable, maintainable, and business-aligned permission structure that could grow alongside the company's needs, supporting teams such as sales, finance, and marketing. Folder-level access and granular permission settings played a critical role in protecting confidential data and fostering efficient collaboration across business units while following data governance best practices.

Proposed Access Control 

Access Control Implementation Insights and Challenges

During the implementation of Sigma access control, we encountered a series of real-world challenges that shaped our strategy:

Dual-Factor Model: Permission Sets and Teams

Sigma’s access control hinges on two primary components: permission sets (linked to account types) and team-based membership. Permission sets define what a user can do (view, interact, analyze, build, or administer), while teams group users to collectively manage access to folders and workspaces.

Mapping Business Roles to Sigma Permissions (Account type)

We discovered that properly mapping business roles, such as sales viewers, explorers, and creators, to Sigma’s default (View, Act, Analyze, Build, Admin) and custom account types was crucial. Each user could only belong to one account type at a time, so moving a user to a new account type automatically revoked their previous permissions. Meanwhile, team membership is - users could belong to multiple teams (e.g., sales, finance, marketing), inheriting access to multiple relevant workspaces.

Team-Based Folders Access Strategy

To achieve fine-grained control, we created specific teams for each workspace: for example, within the sales workspace, we defined “Sales Viewer,” “Sales Explorer,” and “Sales Creator” teams, corresponding to increasing levels of functionality. This setup allowed us to align user capabilities with their job responsibilities, mitigating the risk of excessive permissions through structured Sigma access control.

Validation Processes

An initial audit revealed fragmentation: some reports and workspaces were shared with users directly, and some reports are exposed via general sharing link features, making access patterns difficult to track. To remediate this, we pulled dashboard usage reports, identified users who accessed the reports in the last 60–90 days, and coordinated with respective business leads/PMs to validate and reassign users to the right teams and permission levels. These validation steps are part of ongoing data governance best practices.

Connection-Level Access Control

In addition to folder and workspace permissions, implementing connection-level Sigma access control was a key part of our Sigma access governance strategy. For example, the Sales team, including the Sales Viewer, Sales Explorer, and Sales Creator, was granted access only to the Sales connection within Sigma. This connection-level restriction ensured that Sales users could query data exclusively from the Sales department schema in Snowflake, preventing access to unrelated data sources or schemas. By aligning connection-level permissions with team roles, we added an important security boundary that complements folder-level controls and reinforces data segregation by department. This approach not only enhances data governance but also simplifies auditing, as it clearly defines where each team’s data access begins and ends, mitigating risks of unauthorized cross-departmental data exposure.

Addressing rollback and Change Management

Mistakes inevitably happen; sometimes, folder-level permissions were misapplied or overlooked. To manage this, we leveraged Sigma’s audit logs, allowing us to trace changes and efficiently roll back to previous permission states when problems were discovered. This capability was critical for resolving issues without disrupting business operations.

Auditing the Access Every Three Months

Regularly auditing access rights in Sigma, ideally every three months, is essential for ongoing security and governance. By reviewing user, team, and report/workspace permissions on a quarterly basis, administrators can discover if any other admin has granted individual users direct access to reports or workspaces, potentially circumventing team-based controls. This process follows industry-recognized data governance best practices and also uncovers instances where developers might enable general sharing links without business justification, which could inadvertently expose sensitive data. Additionally, audits reveal when new workspaces have been created and which users, especially those with Developer or Admin roles, have been assigned access. Such reviews are especially important after business tickets or requests that might require temporary exceptions. By conducting these regular audits in Sigma, organizations ensure all permissions remain purposeful and aligned with current business needs, while also creating opportunities to correct unauthorized or unnecessary access and tighten security across the environment.

Best Practices and Lessons Learned as a Data Platform Services Provider

Having completed the project, several best practices have emerged that every data platform services company should consider when implementing Sigma access control:

• Begin with a thorough audit: Document all users, teams, reports, and folder access before making changes. Understanding existing sharing patterns is essential to prevent accidental loss of access or data exposure.
• Establish a clear naming convention: Consistent team names (e.g., Sales Viewer, Finance Creator) reduce confusion and streamline future administration.
• Leverage team-based access control: Assign permissions through teams rather than to individuals whenever possible. This makes onboarding, offboarding, and permission updates more efficient.
• Integrate with identity providers: We synced Sigma with Okta, allowing IT teams to create and manage users, teams, and permissions centrally through SSO, minimizing administrative overhead.
• Validate with business units: Ensure team membership and access needs are regularly validated with business stakeholders to align technical controls with actual operational requirements.
• Utilize Sigma’s audit and reporting features: Regularly review audit logs and usage reports to monitor access changes and swiftly identify any misconfigurations.

The combination of permission sets and team-based folder access in Sigma, when carefully planned and managed, provides an effective foundation for secure, business-aligned analytics environments. By applying Sigma access control alongside proven data governance best practices, organizations can ensure security, scalability, and compliance as data needs evolve.