Roles
DataHub provides the ability to use Roles to manage permissions.
Roles Setup, Prerequisites, and Permissions
The out-of-the-box Roles represent the most common types of DataHub users. Currently, the supported Roles are Admin, Editor and Reader.
| Role Name | Description |
|---|---|
| Admin | Can do everything on the platform. |
| Editor | Can read and edit all metadata. Cannot take administrative actions. |
| Reader | Can read all metadata. Cannot edit anything by default, or take administrative actions. |
Using Roles
Viewing Roles
You can view the list of existing Roles under Settings > Permissions > Roles. You can click into a Role to see details about it, like which users have that Role, and which Policies correspond to that Role.
Assigning Roles
Roles can be assigned in two different ways.
Assigning a New Role to a Single User
If you go to Settings > Users & Groups > Users, you will be able to view your full list of users, as well as which Role they are currently assigned to, including if they don't have a Role.
You can simply assign a new Role to a user by clicking on the drop-down that appears on their row and selecting the desired Role.
Batch Assigning a Role
When viewing the full list of roles at Settings > Permissions > Roles, you will notice that each role has an Add Users button next to it. Clicking this button will
lead you to a search box where you can search through your users, and select which users you would like to assign this role to.
How do Roles interact with Policies?
Roles actually use Policies under-the-hood, and come prepackaged with corresponding policies to control what a Role can do, which you can view in the Policies tab. Note that these Role-specific policies cannot be changed. You can find the full list of policies corresponding to each Role at the bottom of this file.
If you would like to have finer control over what a user on your DataHub instance can do, the Roles system interfaces cleanly with the Policies system. For example, if you would like to give a user a Reader role, but also allow them to edit metadata for certain domains, you can add a policy that will allow them to do. Note that adding a policy like this will only add to what a user can do in DataHub.
Role Privileges
Self-Hosted DataHub and Managed DataHub
These privileges are common to both Self-Hosted DataHub and Managed DataHub.
Platform Privileges
| Privilege | Admin | Editor | Reader | Description |
|---|---|---|---|---|
| Generate Personal Access Tokens | ✔️ | ✔️ | ❌ | Generate personal access tokens for use with DataHub APIs. |
| Manage Domains | ✔️ | ✔️ | ❌ | Create and remove Asset Domains. |
| Manage Home Page Posts | ✔️ | ✔️ | ❌ | Create and delete home page posts |
| Manage Glossaries | ✔️ | ✔️ | ❌ | Create, edit, and remove Glossary Entities |
| Manage Tags | ✔️ | ✔️ | ❌ | Create and remove Tags. |
| Manage Business Attribute | ✔️ | ✔️ | ❌ | Create, update, delete Business Attribute |
| Manage Documentation Forms | ✔️ | ✔️ | ❌ | Manage forms assigned to assets to assist in documentation efforts. |
| Manage Policies | ✔️ | ❌ | ❌ | Create and remove access control policies. Be careful - Actors with this privilege are effectively super users. |
| Manage Metadata Ingestion | ✔️ | ❌ | ❌ | Create, remove, and update Metadata Ingestion sources. |
| Manage Secrets | ✔️ | ❌ | ❌ | Create & remove Secrets stored inside DataHub. |
| Manage Users & Groups | ✔️ | ❌ | ❌ | Create, remove, and update users and groups on DataHub. |
| View Analytics | ✔️ | ❌ | ❌ | View the DataHub analytics dashboard. |
| Manage All Access Tokens | ✔️ | ❌ | ❌ | Create, list and revoke access tokens on behalf of users in DataHub. Be careful - Actors with this privilege are effectively super users that can impersonate other users. |
| Manage User Credentials | ✔️ | ❌ | ❌ | Manage credentials for native DataHub users, including inviting new users and resetting passwords |
| Manage Public Views | ✔️ | ❌ | ❌ | Create, update, and delete any Public (shared) Views. |
| Manage Ownership Types | ✔️ | ❌ | ❌ | Create, update and delete Ownership Types. |
| Create Business Attribute | ✔️ | ❌ | ❌ | Create new Business Attribute. |
| Manage Connections | ✔️ | ❌ | ❌ | Manage connections to external DataHub platforms. |
| Restore Indices API | ✔️ | ❌ | ❌ | The ability to use the Restore Indices API. |
| Get Timeseries index sizes API | ✔️ | ❌ | ❌ | The ability to use the get Timeseries indices size API. |
| Truncate timeseries aspect index size API | ✔️ | ❌ | ❌ | The ability to use the API to truncate a timeseries index. |
| Get ES task status API | ✔️ | ❌ | ❌ | The ability to use the get task status API for an ElasticSearch task. |
| Enable/Disable Writeability API | ✔️ | ❌ | ❌ | The ability to enable or disable GMS writeability for data migrations. |
| Apply Retention API | ✔️ | ❌ | ❌ | The ability to apply retention using the API. |
| Analytics API access | ✔️ | ❌ | ❌ | API read access to raw analytics data. |
Metadata Privileges
| Privilege | Admin | Editor | Reader | Description |
|---|---|---|---|---|
| View Entity Page | ✔️ | ✔️ | ✔️ | The ability to view the entity page. |
| View Dataset Usage | ✔️ | ✔️ | ✔️ | The ability to access dataset usage information (includes usage statistics and queries). |
| View Dataset Profile | ✔️ | ✔️ | ✔️ | The ability to access dataset profile (snapshot statistics) |
| Edit Tags | ✔️ | ✔️ | ❌ | The ability to add and remove tags to an asset. |
| Edit Glossary Terms | ✔️ | ✔️ | ❌ | The ability to add and remove glossary terms to an asset. |
| Edit Description | ✔️ | ✔️ | ❌ | The ability to edit the description (documentation) of an entity. |
| Edit Links | ✔️ | ✔️ | ❌ | The ability to edit links associated with an entity. |
| Edit Status | ✔️ | ✔️ | ❌ | The ability to edit the status of an entity (soft deleted or not). |
| Edit Domain | ✔️ | ✔️ | ❌ | The ability to edit the Domain of an entity. |
| Edit Data Product | ✔️ | ✔️ | ❌ | The ability to edit the Data Product of an entity. |
| Edit Deprecation | ✔️ | ✔️ | ❌ | The ability to edit the Deprecation status of an entity. |
| Edit Assertions | ✔️ | ✔️ | ❌ | The ability to add and remove assertions from an entity. |
| Edit Incidents | ✔️ | ✔️ | ❌ | The ability to create and remove incidents for an entity. |
| Edit Entity | ✔️ | ✔️ | ❌ | The ability to edit any information about an entity. Super user privileges for the entity. |
| Edit Dataset Column Tags | ✔️ | ✔️ | ❌ | The ability to edit the column (field) tags associated with a dataset schema. |
| Edit Dataset Column Glossary Terms | ✔️ | ✔️ | ❌ | The ability to edit the column (field) glossary terms associated with a dataset schema. |
| Edit Dataset Column Descriptions | ✔️ | ✔️ | ❌ | The ability to edit the column (field) descriptions associated with a dataset schema. |
| Edit Tag Color | ✔️ | ✔️ | ❌ | The ability to change the color of a Tag. |
| Edit Lineage | ✔️ | ✔️ | ❌ | The ability to add and remove lineage edges for this entity. |
| Edit Dataset Queries | ✔️ | ✔️ | ❌ | The ability to edit the Queries for a Dataset. |
| Manage Data Products | ✔️ | ✔️ | ❌ | The ability to create, edit, and delete Data Products within a Domain |
| Edit Properties | ✔️ | ✔️ | ❌ | The ability to edit the properties for an entity. |
| Edit Owners | ✔️ | ❌ | ❌ | The ability to add and remove owners of an entity. |
| Edit Group Members | ✔️ | ❌ | ❌ | The ability to add and remove members to a group. |
| Edit User Profile | ✔️ | ❌ | ❌ | The ability to change the user's profile including display name, bio, title, profile image, etc. |
| Edit Contact Information | ✔️ | ❌ | ❌ | The ability to change the contact information such as email & chat handles. |
| Delete | ✔️ | ❌ | ❌ | The ability to delete this entity. |
| Search API | ✔️ | ✔️ | ✔️ | The ability to access search APIs. |
| Get Aspect/Entity Count APIs | ✔️ | ✔️ | ✔️ | The ability to use the GET Aspect/Entity Count APIs. |
| Get Timeseries Aspect API | ✔️ | ✔️ | ✔️ | The ability to use the GET Timeseries Aspect API. |
| Get Entity + Relationships API | ✔️ | ✔️ | ✔️ | The ability to use the GET Entity and Relationships API. |
| Get Timeline API | ✔️ | ✔️ | ✔️ | The ability to use the GET Timeline API. |
| Explain ElasticSearch Query API | ✔️ | ✔️ | ✔️ | The ability to use the Operations API explain endpoint. |
| Produce Platform Event API | ✔️ | ✔️ | ❌ | The ability to produce Platform Events using the API. |
Managed DataHub
These privileges are only relevant to Managed DataHub.
Platform Privileges
| Privilege | Admin | Editor | Reader | Description |
|---|---|---|---|---|
| Manage Tests | ✔️ | ✔️ | ❌ | Create and remove Asset Tests. |
| View Metadata Proposals | ✔️ | ✔️ | ❌ | View the requests tab for viewing metadata proposals. |
| Create metadata constraints | ✔️ | ✔️ | ❌ | Create metadata constraints. |
| Manage Platform Settings | ✔️ | ❌ | ❌ | View and change platform-level settings, like integrations & notifications. |
| Manage Monitors | ✔️ | ❌ | ❌ | Create, update, and delete any data asset monitors, including Custom SQL monitors. Grant with care. |
Metadata Privileges
| Privilege | Admin | Editor | Reader | Description |
|---|---|---|---|---|
| View Entity | ✔️ | ✔️ | ✔️ | The ability to view the entity in search results. |
| Propose Tags | ✔️ | ✔️ | ✔️ | The ability to propose adding a tag to an asset. |
| Propose Glossary Terms | ✔️ | ✔️ | ✔️ | The ability to propose adding a glossary term to an asset. |
| Propose Documentation | ✔️ | ✔️ | ✔️ | The ability to propose updates to an asset's documentation. |
| Propose Dataset Column Glossary Terms | ✔️ | ✔️ | ✔️ | The ability to propose column (field) glossary terms associated with a dataset schema. |
| Propose Dataset Column Tags | ✔️ | ✔️ | ✔️ | The ability to propose new column (field) tags associated with a dataset schema. |
| Manage Tag Proposals | ✔️ | ✔️ | ❌ | The ability to manage a proposal to add a tag to an asset. |
| Manage Glossary Term Proposals | ✔️ | ✔️ | ❌ | The ability to manage a proposal to add a glossary term to an asset. |
| Manage Dataset Column Glossary Terms | ✔️ | ✔️ | ❌ | The ability to manage column (field) glossary term proposals associated with a dataset schema. |
| Manage Dataset Column Tag Proposals | ✔️ | ✔️ | ❌ | The ability to manage column (field) tag proposals associated with a dataset schema. |
| Manage Documentation Proposals | ✔️ | ✔️ | ❌ | The ability to manage a proposal update an asset's documentation |
| Manage Group Notification Settings | ✔️ | ✔️ | ❌ | The ability to manage notification settings for a group. |
| Manage Group Subscriptions | ✔️ | ✔️ | ❌ | The ability to manage subscriptions for a group. |
| Manage Data Contract Proposals | ✔️ | ✔️ | ❌ | The ability to manage a proposal for a Data Contract |
| Share Entity | ✔️ | ✔️ | ❌ | The ability to share an entity with another Acryl instance. |
Additional Resources
GraphQL
FAQ and Troubleshooting
What updates are planned for Roles?
In the future, the DataHub team is looking into adding the following features to Roles.
- Defining a role mapping from OIDC identity providers to DataHub that will grant users a DataHub role based on their IdP role
- Allowing Admins to set a default role on DataHub so all users are assigned a role
- Building custom roles