Get Started
Data
Analytics
Session Replay
Feature Experiment Web Experiment
Admin
SDKs APIs
Partners
FAQ
Overview of Amplitude Data Getting set up with Amplitude Data Autocapture Visual Labeling Data structure video walkthrough Debug with the Amplitude Chrome extension Manage your Amplitude Data settings Data backfill
Plan your taxonomy Planning and instrumentation workflow Create a tracking plan Work with branches Ampli and developer tools Monitor your data with observe Protect your schema from unexpected data Integrate Jira with Amplitude Data Manage access to sensitive data with Data Access Control
About user properties and event properties Event and property descriptions Event and property display names Event categorization Set an event's activity status Property types IP address and location properties Override a property definition Revert an overridden property definition Using property groups Cross-project analysis with Portfolios
Organize your tracking plan with Data Assistant Remove invalid or incorrect data Block bot web traffic Change the description of an event or property Fix your data with transformations Time to Live (TTL)
Custom events Object management Derived properties Lookup Tables Channels
Warehouse-native Amplitude: Overview Build a warehouse-native data model Warehouse-native Amplitude: Best Practices Warehouse-native Bulk Model Management Warehouse-native DBT Integration
Amplitude Audiences overview
Sync to third-party destinations
Data
/

Manage access to sensitive data with Data Access Control

This article helps you:

  • Easily prevent users from accessing sensitive or restricted information in Amplitude

Enterprise-level organizations often collect data that can include revenue data, personally identifiable information (PII), and other sensitive information. Amplitude’s data access control (DAC) feature enables these organizations to easily manage access to these categories of data, in a way that prevents unauthorized users from gaining access to it, and that helps prevent the data from inadvertently leaking out.

Feature availability

Data Access Control is available to organizations on the Enterprise plan.

Data Access Controls

DAC works within Amplitude’s Groups framework. Admins grant or restrict access to PII, revenue data, and sensitive information to all members of a group. From there, they can add or remove users from these groups as access requirements change, either on an individual or organizational level.

For example, when an unauthorized user tries to view a chart that includes restricted information, Amplitude blocks the chart from loading on the user’s screen. Those users are also unable to create new charts that might include restricted data. This is true not only for charts, but also for cohorts, dashboards, notebooks, and user sessions.

Note

Organization admins always have access to all data classifications, regardless of any DAC restrictions.

When a user encounters a chart they can't view because of the presence of restricted data, Amplitude specifies the properties or cohorts DAC has blocked.

chart_with_pii.png

They can then exclude the restricted data and view the chart (or cohort, dashboard, notebook, or user session) without it.

With DAC enabled, Amplitude hides properties that you classify from the Event Stream and User or Account lookup pages. When your project's users encounter classified data, Amplitude displays the value as [DAC Restricted].

The same restrictions apply to Ask Amplitude.

Set access for specific categories of sensitive data

Setting access levels is a two-stage process. First, classify your data. When that’s complete, you can set up permissions.

Note

DAC applies only to properties. It doesn’t apply to definitions or metadata.

Classify properties

  1. In Amplitude Data, navigate to Properties and select the tab that contains the properties you want to classify. DAC enables you to classify User, Event, and Group properties in your tracking plan with the exception of Amplitude ID, Version, Platform, Group ID, and Group name.
  2. Click the name of the property you’re interested in. You can manage event, user, and group properties directly; derived properties inherit all the classifications of their parent properties.
  3. In the details panel that opens, click the Classification drop-down and select all relevant classifications for this property. Then click Send.
  4. Repeat steps 2 and 3 for each property you want to classify.

Classifying the User ID property

If you classify user_id, users without access to that classification can't use Event Explorer.

Set up permissions

  1. Navigate to Settings > Organization settings > Groups and click the name of the group you’re interested in. You can also create a new group.
  2. Open the group’s Data Access tab. All three controllable classifications are visible here: PII, revenue, and sensitive.
  3. For each classification, select Yes to allow members of the group to view this data, or No to deny them access.
  4. When you’re done, click Save.

Overview page

Note

This page is available to users with the Administrator role.

Navigate to Organization Settings > Data Access Controls to see the Data Access Controls overview page. There, find information about the following:

  • The number of groups with access to data classified as PII, Sensitive, or Revenue.
  • The number of users who have access to data classified as PII, Sensitive, or Revenue.
  • All event, user, and group properties classified as PII, Sensitive, or Revenue.

Drill in to any cell in the table for a detailed view where you can see the specific users or groups with access to each classification, or more detailed information about the properties in each classification.

Update user and group access from the Overview page, or navigate to Data to update any property classification.

Use the project switcher to see classifications for each project, and click Classify Data to open that project's tracking plan, where you can manually classify properties.

To customize the error message that your internal users see when they try to access a restricted chart or cohort, click Customize Restricted Access Message. On the resulting modal, edit the error message and include any links to internal documentation that may be helpful.

Note

When you customize the restricted message, the message applies to your organization, not just the project.

Notifications

Users who navigate to a restricted chart or cohort have the option to contact an administrator in their organization to request access. Amplitude sends this request to all organization administrators.

Turn off access request notifications

Administrators can deselect the Someone requests access to a property classified by Data Access Controls notification in Personal Settings > Notifications to opt out of these notifications.

Exports and subscriptions

DAC enforcement applies to all exports and subscriptions in Amplitude. This means:

  • If a user clicks Download Users from the microscope in a chart, the CSV export excludes properties with classifications they can't access.
  • If a user tries to export a CSV from a dashboard, the export excludes charts they can't access.
  • If a user tries to export a PDF or PNG from a dashboard, the export obfuscates charts and cohorts they can't access.
  • If a user tries to subscribe to a chart they can't access, Amplitude cancels the subscription and the user doesn't get a notification or email.
  • If a user tries to subscribe to or create alerts for a dashboard, the email obfuscates the charts and cohorts they can't access.

Manage classifications with the Taxonomy API

The Taxonomy API enables you to manage classifications for all your properties, at scale.

Was this page helpful?

Thanks for your feedback!

September 12th, 2024

Need help? Contact Support

Visit Amplitude.com

Have a look at the Amplitude Blog

Learn more at Amplitude Academy

Terms of Service Privacy Notice Acceptable Use Policy Legal

© 2024 Amplitude, Inc. All rights reserved. Amplitude is a registered trademark of Amplitude, Inc.