Build a hierarchy of data classes that makes sense for your business.
First, consider what kinds of data the organization processes. Usually
there are a small number of data classes managed by an organization. For
example, an organization could have data classes such as:
PII data
Financial data
Customer order history
A single data class can be applied to multiple data columns using a policy tag.
You should leverage this level of abstraction to efficiently manage many columns
with only a few policy tags.
Second, consider if there are groups of people who need different access to
different data classes. For example, one group needs access to business-
sensitive data such as revenues and customer history. Another group needs access
to personally identifiable data (PII) like phone numbers and addresses.
Keep in mind that you can group policy tags together in a tree. Sometimes it is
helpful to create a root policy tag that contains all of the other policy tags.
The following figure shows an example taxonomy. This hierarchy groups all data
types into three top-level policy tags: High, Medium, and Low.
Each of the top-level policy tags contains leaf policy tags. For example, the
High policy tag contains the Credit card, Government ID , and
Biometric policy tags. The Medium and Low similarly have leaf policy
tags.
This structure has several benefits:
You can grant access to an entire group of policy tags at once. For example,
you can grant the Data Catalog Fine Grained Reader role on
the Low tier.
You can move policy tags from one tier to another. For example, you can move
Address from the Low tier to the Medium tier to further restrict its
access, without needing to reclassify all Address columns.
With this fine-grained access, you can manage access to many columns by
controlling only a small number of data classification policy tags.
For more information about policy tags in BigQuery, see:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003ePolicy tags in BigQuery are used to define access to data at the column level or when using dynamic data masking.\u003c/p\u003e\n"],["\u003cp\u003eOrganizations should build a hierarchy of data classes relevant to their business, such as PII, financial data, or customer order history, to efficiently manage multiple columns with a few policy tags.\u003c/p\u003e\n"],["\u003cp\u003eConsider the various groups within your organization that require different levels of data access, such as those needing business-sensitive data versus those needing personally identifiable information (PII).\u003c/p\u003e\n"],["\u003cp\u003ePolicy tags can be grouped together in a tree structure, often with a root policy tag containing all others, allowing for simultaneous access grants and easy reclassification of data.\u003c/p\u003e\n"],["\u003cp\u003eManaging access with these policy tag hierarchies enables control over numerous columns by adjusting permissions on a small set of data classification policy tags.\u003c/p\u003e\n"]]],[],null,["# Best practices for using policy tags in BigQuery\n================================================\n\nThis page describes best practices for using policy tags in BigQuery.\nUse policy tags to define access to your data when you use\n[column-level access control](/bigquery/docs/column-level-security-intro) or\n[dynamic data masking](/bigquery/docs/column-data-masking-intro).\n\nTo learn how to set policy tags on a column, see [Set a policy tag on a column](/bigquery/docs/column-level-security#set_policy).\n\nBuild a hierarchy of data classes\n---------------------------------\n\nBuild a hierarchy of data classes that makes sense for your business.\n\nFirst, consider what kinds of data the organization processes. Usually\nthere are a small number of data classes managed by an organization. For\nexample, an organization could have data classes such as:\n\n- PII data\n- Financial data\n- Customer order history\n\nA single data class can be applied to multiple data columns using a policy tag.\nYou should leverage this level of abstraction to efficiently manage many columns\nwith only a few policy tags.\n\nSecond, consider if there are groups of people who need different access to\ndifferent data classes. For example, one group needs access to business-\nsensitive data such as revenues and customer history. Another group needs access\nto personally identifiable data (PII) like phone numbers and addresses.\n\nKeep in mind that you can group policy tags together in a tree. Sometimes it is\nhelpful to create a root policy tag that contains all of the other policy tags.\n\nThe following figure shows an example taxonomy. This hierarchy groups all data\ntypes into three top-level policy tags: **High** , **Medium** , and **Low**.\n\nEach of the top-level policy tags contains leaf policy tags. For example, the\n**High** policy tag contains the **Credit card** , **Government ID** , and\n**Biometric** policy tags. The **Medium** and **Low** similarly have leaf policy\ntags.\n\nThis structure has several benefits:\n\n- You can grant access to an entire group of policy tags at once. For example,\n you can grant the **Data Catalog Fine Grained Reader** role on\n the **Low** tier.\n\n- You can move policy tags from one tier to another. For example, you can move\n **Address** from the **Low** tier to the **Medium** tier to further restrict its\n access, without needing to reclassify all **Address** columns.\n\n | **Note:** You can move a policy tag only through the Data Catalog `PolicyTagManager.UpdatePolicyTag` method.\n- With this fine-grained access, you can manage access to many columns by\n controlling only a small number of data classification policy tags.\n\nFor more information about policy tags in BigQuery, see:\n\n- [Introduction to column-level access control](/bigquery/docs/column-level-security-intro)\n- [Restricting access with column-level access control](/bigquery/docs/column-level-security)\n- [Introduction to dynamic data masking](/bigquery/docs/column-data-masking-intro)\n- [Mask column data by user role](/bigquery/docs/column-data-masking)"]]
