CONCEPT Cited by 1 source
Project-level access control¶
Project-level access control is the practice of managing permissions at the granularity of a logical project (container of related assets) rather than at the level of individual assets. This is a response to the observation that per-asset ACLs don't scale with organizational fluidity.
Problem it solves¶
At Netflix's scale (millions of data warehouse tables, each with its own ACL), two failure modes emerged when organizations restructured:
- Support flood — mass requests to update table permissions across hundreds of assets per team transition.
- Permission explosion — teams open access far too broadly ("just give everyone access") to avoid the maintenance burden, defeating the purpose of ACLs entirely.
How it works¶
Instead of N ACLs for N tables, permissions are defined once at the project level using role-based grants:
- Identity types: users, groups, applications, CI jobs
- Roles: Contributor (read/write), Viewer (read-only)
- Update pattern: on reorg, update one project grant instead of hundreds of asset ACLs
(Source: sources/2026-06-19-netflix-data-projects-managing-data-assets-at-netflix-scale)
Relationship to RBAC¶
Project-level access control is a specialized form of role-based access control (RBAC) where the resource boundary is the project container rather than individual resources. The key architectural decision is choosing the right granularity for the "resource" in your authorization model.