Governance
Per-connector access, teams, and cost centers.
The Governance section in a project is where you manage who has access to connected data. It covers three things: individual user access, team-based groups, and cost centers for tracking usage.
The Governance page
Each connector in a project has its own Access Management landing page — Governance is scoped per connector, not per project. From the project sidebar, open Governance and select the connector you want to manage.
Governance is a toggleable module. If your deployment hasn't enabled it, the Governance entry won't appear in the sidebar — that's a configuration choice, not a permissions problem.
Once inside a connector's governance area, you'll see three options:
| Option | What it's for |
|---|---|
| Users | Manage individual user access and onboarding. |
| Teams | Organize users into groups and manage team-based access. |
| Cost Centers | Track and tag usage for billing attribution. |
Two of these behave a little differently than the per-connector framing suggests — Teams are stored as "groups" internally, and Cost Centers are project-scoped. More on both below.
Users
Grant or revoke specific users access to the connector. Onboarding a user runs through the provider-side integration (for Databricks-backed connectors, it creates the underlying group memberships and SQL warehouse access as configured).
Teams
Create named teams, add users to them, and manage the team's access rather than each individual. This is the scalable pattern once you have more than a handful of users on a connector.
Internally, teams are stored as groups — so some screens and URLs use the word "groups" for exactly the same thing. They're interchangeable.
Cost Centers
Cost centers are tags that map usage back to a budgeting or billing owner — useful for chargeback models or internal budget tracking.
Unlike Users and Teams, cost centers are project-scoped, not per-connector. They live at the project level and apply across every connector in the project, so you define them once and attribute usage from anywhere in that project.
Relationship to project-level permissions
Governance (access management) is about who can read what data through a specific connector. Project roles (Project Administrator / Project User, see Users and permissions) are about who can change project configuration. They're complementary:
- A user with Project User role + no Governance access → they're in the project but can't see any data.
- A user with Project User role + Governance access to one connector → they can query that connector's data but can't edit pipelines.
Secrets
Connector credentials — API keys, connection passwords, OAuth tokens — are encrypted at rest on the backend. You can rotate them from the connector configuration page, but you can't read them back in plaintext.
SSO and Azure AD
For SaaS-hosted Databasin, login is via Azure AD / Microsoft Entra ID. Self-install deployments authenticate through Auth0 instead.