Interactive Authorization Explorer

This explorer walks the full authorization graph: pick the platform a request comes from, choose who’s asking, and follow the request hop by hop with the identity, token, and permission check at each step. It covers the same model as the request lifecycle, in a form you can click through during a security review.

Authorization Flow

From an integration request to data in the warehouse. Pick who’s asking and watch what they can see.

Audience · depth

ExecutiveUserLegalSecurity

Acting as (role)

Viewer

Signed in via

U2M — SSO / interactive

−100%+Fit

Incoming request from

SlackClaude / Codex pluginMCP

Slack verifies the request signature, exchanges a per-user OAuth token, and goes through a published agent. It does not call tools or the API directly.

can enter atpublished agenttoolsAPIs

Signs in as themselves

Their own Alation account, not a shared bot

Proven identity travels

Slack can enter any of these

Published agent

the agent picks the tools

Tool directly

not used by Slack

REST API

not used by Slack

all paths converge on the agent’s tools

The agent’s tools

a fixed set chosen by the agent’s author

Path A · in Alation

Reads data in Alation

metadata, lineage, samples

Catalog data returned

metadata, lineage, samples · never leaves Alation

Path B · to the warehouse

Queries a data product

a governed gateway to the warehouse

data-product role

identity changes hands

Warehouse query

as you

What a Viewer can see

Entry · agent & tools

Agents

Can only USE agents others published — cannot create or publish.

Viewer/Explorer = consume only

Tools

Can run whatever tools the author configured — cannot change them.

tools are fixed per agent

Path A · data in Alationmetadata · stays in Alation

Catalog data (metadata, lineage, samples)

Viewer-scoped catalog data via permission grants.

governed by your ROLE + catalog grants · never leaves Alation

Path B · data product → warehousereal rows & columns

Reach the data product

Allowed where you hold a grant (per person/group or shared-with-everyone).

governed by per-object sharing, not role

Actual rows & columns

You reach the warehouse with your OWN database credential, so its native row/column security applies.

default — each person uses their own credential

One agent, two data paths. Path A reads data that lives in Alation (metadata), guarded by your role & grants. Path B goes through a data product to the real warehouse, and only that path crosses the ⚠ identity boundary.

Data product support & credentials

Each person who uses Data Product Chat or an agent connects with their own account on the underlying database, and needs read access to the relevant tables. Docs ↗

Pick the data source

SnowflakeGoogle BigQueryAmazon RedshiftDatabricks Unity CatalogPostgreSQLSQL ServerSAP HANATeradata

Snowflake — supported auth for Chat

Snowflake SSO (OAuth 2.0)

Key pair

Each user authenticates with their own account on Snowflake.

Which identity runs the query?

Agents and Chat with Data work the same way.

Has this person connected their own account for the data product?

Set up in the Data Products UI, where the user connects their own account to the data product.

yesno

Answer the question(s) above to see which identity runs the query.