From 90febde88e6993bebe38e368597f90855b966bd7 Mon Sep 17 00:00:00 2001 From: ksrinath Date: Wed, 5 Jun 2024 16:27:19 +0530 Subject: [PATCH] doc(roles): update privileges (#10528) --- docs/authorization/access-policies-guide.md | 87 +-------- docs/authorization/policies.md | 173 +++++++++++------- docs/authorization/roles.md | 137 +++++++++----- .../authorization/PoliciesConfig.java | 8 +- 4 files changed, 203 insertions(+), 202 deletions(-) diff --git a/docs/authorization/access-policies-guide.md b/docs/authorization/access-policies-guide.md index a9a54a762cd81..2040d7ff79e99 100644 --- a/docs/authorization/access-policies-guide.md +++ b/docs/authorization/access-policies-guide.md @@ -91,34 +91,8 @@ In the second step, we can simply select the Privileges that this Platform Polic

-**Platform** Privileges most often provide access to perform administrative functions on the Platform. These include: - -| Platform Privileges | Description | -|---------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Manage Policies | Allow actor to create and remove access control policies. Be careful - Actors with this Privilege are effectively super users. | -| Manage Metadata Ingestion | Allow actor to create, remove, and update Metadata Ingestion sources. | -| Manage Secrets | Allow actor to create & remove secrets stored inside DataHub. | -| Manage Users & Groups | Allow actor to create, remove, and update users and groups on DataHub. | -| Manage All Access Tokens | Allow actor to create, remove, and list access tokens for all users on DataHub. | -| Create Domains | Allow the actor to create new Domains | -| Manage Domains | Allow actor to create and remove any Domains. | -| View Analytics | Allow the actor access to the DataHub analytics dashboard. | -| Generate Personal Access Tokens | Allow the actor to generate access tokens for personal use with DataHub APIs. | -| Manage User Credentials | Allow the actor to generate invite links for new native DataHub users, and password reset links for existing native users. | -| Manage Glossaries | Allow the actor to create, edit, move, and delete Glossary Terms and Term Groups | -| Create Tags | Allow the actor to create new Tags | -| Manage Tags | Allow the actor to create and remove any Tags | -| Manage Public Views | Allow the actor to create, edit, and remove any public (shared) Views. | -| Manage Ownership Types | Allow the actor to create, edit, and remove any Ownership Types. | -| Manage Platform Settings | (Acryl DataHub only) Allow the actor to manage global integrations and notification settings | -| Manage Monitors | (Acryl DataHub only) Allow the actor to create, remove, start, or stop any entity assertion monitors | -| Restore Indices API[^1] | Allow the actor to restore indices for a set of entities via API | -| Enable/Disable Writeability API[^1] | Allow the actor to enable or disable GMS writeability for use in data migrations | -| Apply Retention API[^1] | Allow the actor to apply aspect retention via API | -| Explain ElasticSearch Query API[^1] | Allow actor to explain an ElasticSearch query. | - - -[^1]: Only active if REST_API_AUTHORIZATION_ENABLED environment flag is enabled +**Platform** Privileges most often provide access to perform administrative functions on the Platform. +Refer to the [Policies Guide](./policies.md#platform-level-privileges) for a complete list of these privileges. #### Step 3: Choose Policy Actors @@ -194,62 +168,7 @@ scope.

**Metadata** Privileges grant access to change specific *entities* (i.e. data assets) on DataHub. - -The common Metadata Privileges, which span across entity types, include: - -| Common Privileges | Description | -|----------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------| -| View Entity Page | Allow actor to access the entity page for the resource in the UI. If not granted, it will redirect them to an unauthorized page. | -| Edit Tags | Allow actor to add and remove tags to an asset. | -| Edit Glossary Terms | Allow actor to add and remove glossary terms to an asset. | -| Edit Owners | Allow actor to add and remove owners of an entity. | -| Edit Description | Allow actor to edit the description (documentation) of an entity. | -| Edit Links | Allow actor to edit links associated with an entity. | -| Edit Status | Allow actor to edit the status of an entity (soft deleted or not). | -| Edit Domain | Allow actor to edit the Domain of an entity. | -| Edit Deprecation | Allow actor to edit the Deprecation status of an entity. | -| Edit Lineage | Allow actor to edit custom lineage edges for the entity. | -| Edit Data Product | Allow actor to edit the data product that an entity is part of | -| Edit Incidents | Allow actor to raise and resolve incidents associated with an entity. | -| Propose Tags | (Acryl DataHub only) Allow actor to propose new Tags for the entity. | -| Propose Glossary Terms | (Acryl DataHub only) Allow actor to propose new Glossary Terms for the entity. | -| Propose Documentation | (Acryl DataHub only) Allow actor to propose new Documentation for the entity. | -| Manage Tag Proposals | (Acryl DataHub only) Allow actor to accept or reject proposed Tags for the entity. | -| Manage Glossary Terms Proposals | (Acryl DataHub only) Allow actor to accept or reject proposed Glossary Terms for the entity. | -| Manage Documentation Proposals | (Acryl DataHub only) Allow actor to accept or reject proposed Documentation for the entity | -| Edit Entity | Allow actor to edit any information about an entity. Super user privileges. Controls the ability to ingest using API when REST API Authorization is enabled. | -| Get Timeline API[^1] | Allow actor to get the timeline of an entity via API. | -| Get Entity API[^1] | Allow actor to get an entity via API. | -| Get Timeseries Aspect API[^1] | Allow actor to get a timeseries aspect via API. | -| Get Aspect/Entity Count APIs[^1] | Allow actor to get aspect and entity counts via API. | -| Search API | Allow actor to search for entities via API. | -| Produce Platform Event API | Allow actor to ingest a platform event via API. | - -[^1]: Only active if REST_API_AUTHORIZATION_ENABLED is true - -**Specific Metadata Privileges** include - -| Entity | Privilege | Description | -|--------------|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Dataset | Edit Dataset Column Tags | Allow actor to edit the column (field) tags associated with a dataset schema. | -| Dataset | Edit Dataset Column Glossary Terms | Allow actor to edit the column (field) glossary terms associated with a dataset schema. | -| Dataset | Edit Dataset Column Descriptions | Allow actor to edit the column (field) descriptions associated with a dataset schema. | -| Dataset | Edit Dataset Queries | Allow actor to edit the Highlighted Queries on the Queries tab of the dataset. | -| Dataset | View Dataset Usage | Allow actor to access usage metadata about a dataset both in the UI and in the GraphQL API. This includes example queries, number of queries, etc. Also applies to REST APIs when REST API Authorization is enabled. | -| Dataset | View Dataset Profile | Allow actor to access a dataset's profile both in the UI and in the GraphQL API. This includes snapshot statistics like #rows, #columns, null percentage per field, etc. | -| Dataset | Edit Assertions | Allow actor to change the assertions associated with a dataset. | -| Dataset | Edit Monitors | (Acryl DataHub only) Allow actor to change the assertion monitors associated with a dataset. | -| Tag | Edit Tag Color | Allow actor to change the color of a Tag. | -| Group | Edit Group Members | Allow actor to add and remove members to a group. | -| Group | Edit Contact Information | Allow actor to change email, slack handle associated with the group. | -| Group | Manage Group Subscriptions | (Acryl DataHub only) Allow actor to subscribe the group to entities. | -| Group | Manage Group Notifications | (Acryl DataHub only) Allow actor to change notification settings for the group. | -| User | Edit User Profile | Allow actor to change the user's profile including display name, bio, title, profile image, etc. | -| User + Group | Edit Contact Information | Allow actor to change the contact information such as email & chat handles. | -| Term Group | Manage Direct Glossary Children | Allow actor to change the direct child Term Groups or Terms of the group. | -| Term Group | Manage All Glossary Children | Allow actor to change any direct or indirect child Term Groups or Terms of the group. | - - +These include [**common metadata privileges**](./policies.md#platform-level-privileges) that span across entity types, as well as [**specific entity-level privileges**](./policies.md#specific-entity-level-privileges). #### Step 3: Choose Policy Actors diff --git a/docs/authorization/policies.md b/docs/authorization/policies.md index 759489f291a94..9867ff6ab264d 100644 --- a/docs/authorization/policies.md +++ b/docs/authorization/policies.md @@ -68,75 +68,118 @@ All edits on the UI are covered by a privilege, to make sure we have the ability We currently support the following: -**Platform-level** privileges for DataHub operators to access & manage the administrative functionality of the system. - -| Platform Privileges | Description | -|-------------------------------------|--------------------------------------------------------------------------------------------------------------------------------| -| Manage Policies | Allow actor to create and remove access control policies. Be careful - Actors with this privilege are effectively super users. | -| Manage Metadata Ingestion | Allow actor to create, remove, and update Metadata Ingestion sources. | -| Manage Secrets | Allow actor to create & remove secrets stored inside DataHub. | -| Manage Users & Groups | Allow actor to create, remove, and update users and groups on DataHub. | -| Manage All Access Tokens | Allow actor to create, remove, and list access tokens for all users on DataHub. | -| Create Domains | Allow the actor to create new Domains | -| Manage Domains | Allow actor to create and remove any Domains. | -| View Analytics | Allow the actor access to the DataHub analytics dashboard. | -| Generate Personal Access Tokens | Allow the actor to generate access tokens for personal use with DataHub APIs. | -| Manage User Credentials | Allow the actor to generate invite links for new native DataHub users, and password reset links for existing native users. | -| Manage Glossaries | Allow the actor to create, edit, move, and delete Glossary Terms and Term Groups | -| Create Tags | Allow the actor to create new Tags | -| Manage Tags | Allow the actor to create and remove any Tags | -| Manage Public Views | Allow the actor to create, edit, and remove any public (shared) Views. | -| Restore Indices API[^1] | Allow the actor to restore indices for a set of entities via API | -| Enable/Disable Writeability API[^1] | Allow the actor to enable or disable GMS writeability for use in data migrations | -| Apply Retention API[^1] | Allow the actor to apply aspect retention via API | +##### Platform-level privileges +These privileges are for DataHub operators to access & manage the administrative functionality of the system. + +| Platform Privileges | Description | +|-----------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Generate Personal Access Tokens | Allow actor to generate personal access tokens for use with DataHub APIs. | +| Manage Domains | Allow actor to create and remove Asset Domains. | +| Manage Home Page Posts | Allow actor to create and delete home page posts | +| Manage Glossaries | Allow actor to create, edit, and remove Glossary Entities | +| Manage Tags | Allow actor to create and remove Tags. | +| Manage Business Attribute | Allow actor to create, update, delete Business Attribute | +| Manage Documentation Forms | Allow actor to manage forms assigned to assets to assist in documentation efforts. | +| Manage Policies | Allow actor to create and remove access control policies. Be careful - Actors with this privilege are effectively super users. | +| Manage Metadata Ingestion | Allow actor to create, remove, and update Metadata Ingestion sources. | +| Manage Secrets | Allow actor to create & remove Secrets stored inside DataHub. | +| Manage Users & Groups | Allow actor to create, remove, and update users and groups on DataHub. | +| View Analytics | Allow actor to view the DataHub analytics dashboard. | +| Manage All Access Tokens | Allow actor to create, list and revoke access tokens on behalf of users in DataHub. Be careful - Actors with this privilege are effectively super users that can impersonate other users. | +| Manage User Credentials | Allow actor to manage credentials for native DataHub users, including inviting new users and resetting passwords | +| Manage Public Views | Allow actor to create, update, and delete any Public (shared) Views. | +| Manage Ownership Types | Allow actor to create, update and delete Ownership Types. | +| Create Business Attribute | Allow actor to create new Business Attribute. | +| Manage Connections | Allow actor to manage connections to external DataHub platforms. | +| Restore Indices API[^1] | Allow actor to use the Restore Indices API. | +| Get Timeseries index sizes API[^1] | Allow actor to use the get Timeseries indices size API. | +| Truncate timeseries aspect index size API[^1] | Allow actor to use the API to truncate a timeseries index. | +| Get ES task status API[^1] | Allow actor to use the get task status API for an ElasticSearch task. | +| Enable/Disable Writeability API[^1] | Allow actor to enable or disable GMS writeability for data migrations. | +| Apply Retention API[^1] | Allow actor to apply retention using the API. | +| Analytics API access[^1] | Allow actor to use API read access to raw analytics data. | +| Manage Tests[^2] | Allow actor to create and remove Asset Tests. | +| View Metadata Proposals[^2] | Allow actor to view the requests tab for viewing metadata proposals. | +| Create metadata constraints[^2] | Allow actor to create metadata constraints. | +| Manage Platform Settings[^2] | Allow actor to view and change platform-level settings, like integrations & notifications. | +| Manage Monitors[^2] | Allow actor to create, update, and delete any data asset monitors, including Custom SQL monitors. Grant with care. | [^1]: Only active if REST_API_AUTHORIZATION_ENABLED is true - -**Common metadata privileges** to view & modify any entity within DataHub. - -| Common Privileges | Description | -|-------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| View Entity Page | Allow actor to access the entity page for the resource in the UI. If not granted, it will redirect them to an unauthorized page. Additionally if the actor does not have this view privilege, the entity will be removed from search results. | -| Edit Tags | Allow actor to add and remove tags to an asset. | -| Edit Glossary Terms | Allow actor to add and remove glossary terms to an asset. | -| Edit Owners | Allow actor to add and remove owners of an entity. | -| Edit Description | Allow actor to edit the description (documentation) of an entity. | -| Edit Links | Allow actor to edit links associated with an entity. | -| Edit Status | Allow actor to edit the status of an entity (soft deleted or not). | -| Edit Domain | Allow actor to edit the Domain of an entity. | -| Edit Deprecation | Allow actor to edit the Deprecation status of an entity. | -| Edit Assertions | Allow actor to add and remove assertions from an entity. | -| Edit Incidents | Allow actor to raise and resolve incidents for an entity. | -| Edit All | Allow actor to edit any information about an entity. Super user privileges. Controls the ability to ingest using API when REST API Authorization is enabled. | -| Get Timeline API[^1] | Allow actor to get the timeline of an entity via API. | -| Get Entity API[^1] | Allow actor to get an entity via API. | -| Get Timeseries Aspect API[^1] | Allow actor to get a timeseries aspect via API. | -| Get Aspect/Entity Count APIs[^1] | Allow actor to get aspect and entity counts via API. | -| Search API[^1] | Allow actor to search for entities via API. | -| Produce Platform Event API[^1] | Allow actor to ingest a platform event via API. | -| Explain ElasticSearch Query API[^1] | Allow actor to explain an ElasticSearch query. | -| Create Entity | Allow creation of the entity if it doesn't already exist. | -| Entity Exists | Allow checking the existence of the entity without any additional access to the entity's data. | +[^2]: Managed DataHub only + +##### Common metadata privileges +These privileges are to view & modify any entity within DataHub. + +| Common Privileges | Description | +|-------------------------------------|--------------------------------------------------------------------------------------------| +| View Entity Page | Allow actor to view the entity page. | +| Edit Tags | Allow actor to add and remove tags to an asset. | +| Edit Glossary Terms | Allow actor to add and remove glossary terms to an asset. | +| Edit Description | Allow actor to edit the description (documentation) of an entity. | +| Edit Links | Allow actor to edit links associated with an entity. | +| Edit Status | Allow actor to edit the status of an entity (soft deleted or not). | +| Edit Domain | Allow actor to edit the Domain of an entity. | +| Edit Data Product | Allow actor to edit the Data Product of an entity. | +| Edit Deprecation | Allow actor to edit the Deprecation status of an entity. | +| Edit Incidents | Allow actor to create and remove incidents for an entity. | +| Edit Entity | Allow actor to edit any information about an entity. Super user privileges for the entity. | +| Edit Lineage | Allow actor to add and remove lineage edges for this entity. | +| Edit Properties | Allow actor to edit the properties for an entity. | +| Edit Owners | Allow actor to add and remove owners of an entity. | +| Delete | Allow actor to delete this entity. | +| Search API[^1] | Allow actor to access search APIs. | +| Get Aspect/Entity Count APIs[^1] | Allow actor to use the GET Aspect/Entity Count APIs. | +| Get Timeseries Aspect API[^1] | Allow actor to use the GET Timeseries Aspect API. | +| Get Entity + Relationships API[^1] | Allow actor to use the GET Entity and Relationships API. | +| Get Timeline API[^1] | Allow actor to use the GET Timeline API. | +| Explain ElasticSearch Query API[^1] | Allow actor to use the Operations API explain endpoint. | +| Produce Platform Event API[^1] | Allow actor to produce Platform Events using the API. | +| Create Entity | Allow actor to create an entity if it doesn't exist. | +| Entity Exists | Allow actor to determine whether the entity exists. | +| View Entity[^2] | Allow actor to view the entity in search results. | +| Propose Tags[^2] | Allow actor to propose adding a tag to an asset. | +| Propose Glossary Terms[^2] | Allow actor to propose adding a glossary term to an asset. | +| Propose Documentation[^2] | Allow actor to propose updates to an asset's documentation. | +| Manage Tag Proposals[^2] | Allow actor to manage a proposal to add a tag to an asset. | +| Manage Glossary Term Proposals[^2] | Allow actor to manage a proposal to add a glossary term to an asset. | +| Manage Documentation Proposals[^2] | Allow actor to manage a proposal update an asset's documentation | +| Share Entity[^2] | Allow actor to share an entity with another Acryl instance. | [^1]: Only active if REST_API_AUTHORIZATION_ENABLED is true - -**Specific entity-level privileges** that are not generalizable. - -| Entity | Privilege | Description | -|--------------|------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Dataset | Edit Dataset Column Tags | Allow actor to edit the column (field) tags associated with a dataset schema. | -| Dataset | Edit Dataset Column Glossary Terms | Allow actor to edit the column (field) glossary terms associated with a dataset schema. | -| Dataset | Edit Dataset Column Descriptions | Allow actor to edit the column (field) descriptions associated with a dataset schema. | -| Dataset | View Dataset Usage | Allow actor to access usage metadata about a dataset both in the UI and in the GraphQL API. This includes example queries, number of queries, etc. Also applies to REST APIs when REST API Authorization is enabled. | -| Dataset | View Dataset Profile | Allow actor to access a dataset's profile both in the UI and in the GraphQL API. This includes snapshot statistics like #rows, #columns, null percentage per field, etc. | -| Tag | Edit Tag Color | Allow actor to change the color of a Tag. | -| Group | Edit Group Members | Allow actor to add and remove members to a group. | -| User | Edit User Profile | Allow actor to change the user's profile including display name, bio, title, profile image, etc. | -| User + Group | Edit Contact Information | Allow actor to change the contact information such as email & chat handles. | -| GlossaryNode | Manage Direct Glossary Children | Allow the actor to create, edit, and delete the direct children of the selected entities. | -| GlossaryNode | Manage All Glossary Children | Allow the actor to create, edit, and delete everything underneath the selected entities. | - - +[^2]: Managed DataHub only + +##### Specific entity-level privileges +These privileges are not generalizable. + +| Entity | Privilege | Description | +|--------------|-------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Dataset | View Dataset Usage | Allow actor to access dataset usage information (includes usage statistics and queries). | +| Dataset | View Dataset Profile | Allow actor to access dataset profile (snapshot statistics) | +| Dataset | Edit Dataset Column Descriptions | Allow actor to edit the column (field) descriptions associated with a dataset schema. | +| Dataset | Edit Dataset Column Tags | Allow actor to edit the column (field) tags associated with a dataset schema. | +| Dataset | Edit Dataset Column Glossary Terms | Allow actor to edit the column (field) glossary terms associated with a dataset schema. | +| Dataset | Propose Dataset Column Glossary Terms[^2] | Allow actor to propose column (field) glossary terms associated with a dataset schema. | +| Dataset | Propose Dataset Column Tags[^2] | Allow actor to propose new column (field) tags associated with a dataset schema. | +| Dataset | Manage Dataset Column Glossary Terms[^2] | Allow actor to manage column (field) glossary term proposals associated with a dataset schema. | +| Dataset | Propose Dataset Column Descriptions[^2] | Allow actor to propose new descriptions associated with a dataset schema. | +| Dataset | Manage Dataset Column Tag Proposals[^2] | Allow actor to manage column (field) tag proposals associated with a dataset schema. | +| Dataset | Edit Assertions | Allow actor to add and remove assertions from an entity. | +| Dataset | Edit Dataset Queries | Allow actor to edit the Queries for a Dataset. | +| Dataset | Create erModelRelationship | Allow actor to add erModelRelationship on a dataset. | +| Dataset | Edit Monitors[^2] | Allow actor to edit monitors for the entity. | +| Dataset | Edit SQL Assertion Monitors[^2] | Allow actor to edit custom SQL assertion monitors for the entity. Note that this gives read query access to users with through the Custom SQL assertion builder. Grant with care. | +| Dataset | Edit Data Contract[^2] | Allow actor to edit the Data Contract for an entity. | +| Dataset | Manage Data Contract Proposals[^2] | Allow actor to manage a proposal for a Data Contract | +| Tag | Edit Tag Color | Allow actor to change the color of a Tag. | +| Domain | Manage Data Products | Allow actor to create, edit, and delete Data Products within a Domain | +| GlossaryNode | Manage Direct Glossary Children | Allow actor to create and delete the direct children of this entity. | +| GlossaryNode | Manage All Glossary Children | Allow actor to create and delete everything underneath this entity. | +| Group | Edit Group Members | Allow actor to add and remove members to a group. | +| Group | Manage Group Notification Settings[^2] | Allow actor to manage notification settings for a group. | +| Group | Manage Group Subscriptions[^2] | Allow actor to manage subscriptions for a group. | +| Group | Edit Contact Information | Allow actor to change the contact information such as email & chat handles. | +| User | Edit Contact Information | Allow actor to change the contact information such as email & chat handles. | +| User | Edit User Profile | Allow actor to change the user's profile including display name, bio, title, profile image, etc. | #### Resources diff --git a/docs/authorization/roles.md b/docs/authorization/roles.md index 7e2f1797309df..fe41cae2bc3cc 100644 --- a/docs/authorization/roles.md +++ b/docs/authorization/roles.md @@ -79,46 +79,72 @@ These privileges are common to both Self-Hosted DataHub and Managed DataHub. ##### Platform Privileges -| Privilege | Admin | Editor | Reader | -|---------------------------------|--------------------|--------------------|--------| -| Generate Personal Access Tokens | :heavy_check_mark: | :heavy_check_mark: | :x: | -| Manage Domains | :heavy_check_mark: | :heavy_check_mark: | :x: | -| Manage Glossaries | :heavy_check_mark: | :heavy_check_mark: | :x: | -| Manage Tags | :heavy_check_mark: | :heavy_check_mark: | :x: | -| Manage Policies | :heavy_check_mark: | :x: | :x: | -| Manage Ingestion | :heavy_check_mark: | :x: | :x: | -| Manage Secrets | :heavy_check_mark: | :x: | :x: | -| Manage Users and Groups | :heavy_check_mark: | :x: | :x: | -| Manage Access Tokens | :heavy_check_mark: | :x: | :x: | -| Manage User Credentials | :heavy_check_mark: | :x: | :x: | -| Manage Public Views | :heavy_check_mark: | :x: | :x: | -| View Analytics | :heavy_check_mark: | :x: | :x: | +| Privilege | Admin | Editor | Reader | Description | +|-------------------------------------------|--------------------|--------------------|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Generate Personal Access Tokens | :heavy_check_mark: | :heavy_check_mark: | :x: | Generate personal access tokens for use with DataHub APIs. | +| Manage Domains | :heavy_check_mark: | :heavy_check_mark: | :x: | Create and remove Asset Domains. | +| Manage Home Page Posts | :heavy_check_mark: | :heavy_check_mark: | :x: | Create and delete home page posts | +| Manage Glossaries | :heavy_check_mark: | :heavy_check_mark: | :x: | Create, edit, and remove Glossary Entities | +| Manage Tags | :heavy_check_mark: | :heavy_check_mark: | :x: | Create and remove Tags. | +| Manage Business Attribute | :heavy_check_mark: | :heavy_check_mark: | :x: | Create, update, delete Business Attribute | +| Manage Documentation Forms | :heavy_check_mark: | :heavy_check_mark: | :x: | Manage forms assigned to assets to assist in documentation efforts. | +| Manage Policies | :heavy_check_mark: | :x: | :x: | Create and remove access control policies. Be careful - Actors with this privilege are effectively super users. | +| Manage Metadata Ingestion | :heavy_check_mark: | :x: | :x: | Create, remove, and update Metadata Ingestion sources. | +| Manage Secrets | :heavy_check_mark: | :x: | :x: | Create & remove Secrets stored inside DataHub. | +| Manage Users & Groups | :heavy_check_mark: | :x: | :x: | Create, remove, and update users and groups on DataHub. | +| View Analytics | :heavy_check_mark: | :x: | :x: | View the DataHub analytics dashboard. | +| Manage All Access Tokens | :heavy_check_mark: | :x: | :x: | Create, list and revoke access tokens on behalf of users in DataHub. Be careful - Actors with this privilege are effectively super users that can impersonate other users. | +| Manage User Credentials | :heavy_check_mark: | :x: | :x: | Manage credentials for native DataHub users, including inviting new users and resetting passwords | +| Manage Public Views | :heavy_check_mark: | :x: | :x: | Create, update, and delete any Public (shared) Views. | +| Manage Ownership Types | :heavy_check_mark: | :x: | :x: | Create, update and delete Ownership Types. | +| Create Business Attribute | :heavy_check_mark: | :x: | :x: | Create new Business Attribute. | +| Manage Connections | :heavy_check_mark: | :x: | :x: | Manage connections to external DataHub platforms. | +| Restore Indices API | :heavy_check_mark: | :x: | :x: | The ability to use the Restore Indices API. | +| Get Timeseries index sizes API | :heavy_check_mark: | :x: | :x: | The ability to use the get Timeseries indices size API. | +| Truncate timeseries aspect index size API | :heavy_check_mark: | :x: | :x: | The ability to use the API to truncate a timeseries index. | +| Get ES task status API | :heavy_check_mark: | :x: | :x: | The ability to use the get task status API for an ElasticSearch task. | +| Enable/Disable Writeability API | :heavy_check_mark: | :x: | :x: | The ability to enable or disable GMS writeability for data migrations. | +| Apply Retention API | :heavy_check_mark: | :x: | :x: | The ability to apply retention using the API. | +| Analytics API access | :heavy_check_mark: | :x: | :x: | API read access to raw analytics data. | ##### Metadata Privileges -| Privilege | Admin | Editor | Reader | -|--------------------------------------|--------------------|--------------------|--------------------| -| View Entity Page | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| View Dataset Usage | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| View Dataset Profile | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| Edit Entity | :heavy_check_mark: | :heavy_check_mark: | :x: | -| Edit Entity Tags | :heavy_check_mark: | :heavy_check_mark: | :x: | -| Edit Entity Glossary Terms | :heavy_check_mark: | :heavy_check_mark: | :x: | -| Edit Entity Owners | :heavy_check_mark: | :heavy_check_mark: | :x: | -| Edit Entity Docs | :heavy_check_mark: | :heavy_check_mark: | :x: | -| Edit Entity Doc Links | :heavy_check_mark: | :heavy_check_mark: | :x: | -| Edit Entity Status | :heavy_check_mark: | :heavy_check_mark: | :x: | -| Edit Entity Assertions | :heavy_check_mark: | :heavy_check_mark: | :x: | -| Manage Entity Tags | :heavy_check_mark: | :heavy_check_mark: | :x: | -| Manage Entity Glossary Terms | :heavy_check_mark: | :heavy_check_mark: | :x: | -| Edit Dataset Column Tags | :heavy_check_mark: | :heavy_check_mark: | :x: | -| Edit Dataset Column Glossary Terms | :heavy_check_mark: | :heavy_check_mark: | :x: | -| Edit Dataset Column Descriptions | :heavy_check_mark: | :heavy_check_mark: | :x: | -| Manage Dataset Column Tags | :heavy_check_mark: | :heavy_check_mark: | :x: | -| Manage Dataset Column Glossary Terms | :heavy_check_mark: | :heavy_check_mark: | :x: | -| Edit Tag Color | :heavy_check_mark: | :heavy_check_mark: | :x: | -| Edit User Profile | :heavy_check_mark: | :heavy_check_mark: | :x: | -| Edit Contact Info | :heavy_check_mark: | :heavy_check_mark: | :x: | +| Privilege | Admin | Editor | Reader | Description | +|------------------------------------|--------------------|--------------------|--------------------|--------------------------------------------------------------------------------------------------| +| View Entity Page | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | The ability to view the entity page. | +| View Dataset Usage | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | The ability to access dataset usage information (includes usage statistics and queries). | +| View Dataset Profile | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | The ability to access dataset profile (snapshot statistics) | +| Edit Tags | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to add and remove tags to an asset. | +| Edit Glossary Terms | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to add and remove glossary terms to an asset. | +| Edit Description | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to edit the description (documentation) of an entity. | +| Edit Links | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to edit links associated with an entity. | +| Edit Status | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to edit the status of an entity (soft deleted or not). | +| Edit Domain | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to edit the Domain of an entity. | +| Edit Data Product | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to edit the Data Product of an entity. | +| Edit Deprecation | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to edit the Deprecation status of an entity. | +| Edit Assertions | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to add and remove assertions from an entity. | +| Edit Incidents | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to create and remove incidents for an entity. | +| Edit Entity | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to edit any information about an entity. Super user privileges for the entity. | +| Edit Dataset Column Tags | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to edit the column (field) tags associated with a dataset schema. | +| Edit Dataset Column Glossary Terms | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to edit the column (field) glossary terms associated with a dataset schema. | +| Edit Dataset Column Descriptions | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to edit the column (field) descriptions associated with a dataset schema. | +| Edit Tag Color | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to change the color of a Tag. | +| Edit Lineage | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to add and remove lineage edges for this entity. | +| Edit Dataset Queries | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to edit the Queries for a Dataset. | +| Manage Data Products | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to create, edit, and delete Data Products within a Domain | +| Edit Properties | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to edit the properties for an entity. | +| Edit Owners | :heavy_check_mark: | :x: | :x: | The ability to add and remove owners of an entity. | +| Edit Group Members | :heavy_check_mark: | :x: | :x: | The ability to add and remove members to a group. | +| Edit User Profile | :heavy_check_mark: | :x: | :x: | The ability to change the user's profile including display name, bio, title, profile image, etc. | +| Edit Contact Information | :heavy_check_mark: | :x: | :x: | The ability to change the contact information such as email & chat handles. | +| Delete | :heavy_check_mark: | :x: | :x: | The ability to delete this entity. | +| Search API | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | The ability to access search APIs. | +| Get Aspect/Entity Count APIs | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | The ability to use the GET Aspect/Entity Count APIs. | +| Get Timeseries Aspect API | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | The ability to use the GET Timeseries Aspect API. | +| Get Entity + Relationships API | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | The ability to use the GET Entity and Relationships API. | +| Get Timeline API | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | The ability to use the GET Timeline API. | +| Explain ElasticSearch Query API | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | The ability to use the Operations API explain endpoint. | +| Produce Platform Event API | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to produce Platform Events using the API. | #### Managed DataHub @@ -126,22 +152,33 @@ These privileges are only relevant to Managed DataHub. ##### Platform Privileges -| Privilege | Admin | Editor | Reader | -|-------------------------|--------------------|--------------------|--------| -| Create Constraints | :heavy_check_mark: | :heavy_check_mark: | :x: | -| View Metadata Proposals | :heavy_check_mark: | :heavy_check_mark: | :x: | -| Manage Tests | :heavy_check_mark: | :x: | :x: | -| Manage Global Settings | :heavy_check_mark: | :x: | :x: | +| Privilege | Admin | Editor | Reader | Description | +|-----------------------------|--------------------|--------------------|--------|-----------------------------------------------------------------------------------------------------| +| Manage Tests | :heavy_check_mark: | :heavy_check_mark: | :x: | Create and remove Asset Tests. | +| View Metadata Proposals | :heavy_check_mark: | :heavy_check_mark: | :x: | View the requests tab for viewing metadata proposals. | +| Create metadata constraints | :heavy_check_mark: | :heavy_check_mark: | :x: | Create metadata constraints. | +| Manage Platform Settings | :heavy_check_mark: | :x: | :x: | View and change platform-level settings, like integrations & notifications. | +| Manage Monitors | :heavy_check_mark: | :x: | :x: | Create, update, and delete any data asset monitors, including Custom SQL monitors. Grant with care. | ##### Metadata Privileges -| Privilege | Admin | Editor | Reader | -|---------------------------------------|--------------------|--------------------|--------------------| -| Propose Entity Tags | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| Propose Entity Glossary Terms | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| Propose Dataset Column Tags | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| Propose Dataset Column Glossary Terms | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| Edit Entity Operations | :heavy_check_mark: | :heavy_check_mark: | :x: | +| Privilege | Admin | Editor | Reader | Description | +|---------------------------------------|--------------------|--------------------|--------------------|------------------------------------------------------------------------------------------------| +| View Entity | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | The ability to view the entity in search results. | +| Propose Tags | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | The ability to propose adding a tag to an asset. | +| Propose Glossary Terms | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | The ability to propose adding a glossary term to an asset. | +| Propose Documentation | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | The ability to propose updates to an asset's documentation. | +| Propose Dataset Column Glossary Terms | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | The ability to propose column (field) glossary terms associated with a dataset schema. | +| Propose Dataset Column Tags | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | The ability to propose new column (field) tags associated with a dataset schema. | +| Manage Tag Proposals | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to manage a proposal to add a tag to an asset. | +| Manage Glossary Term Proposals | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to manage a proposal to add a glossary term to an asset. | +| Manage Dataset Column Glossary Terms | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to manage column (field) glossary term proposals associated with a dataset schema. | +| Manage Dataset Column Tag Proposals | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to manage column (field) tag proposals associated with a dataset schema. | +| Manage Documentation Proposals | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to manage a proposal update an asset's documentation | +| Manage Group Notification Settings | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to manage notification settings for a group. | +| Manage Group Subscriptions | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to manage subscriptions for a group. | +| Manage Data Contract Proposals | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to manage a proposal for a Data Contract | +| Share Entity | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to share an entity with another Acryl instance. | ## Additional Resources diff --git a/metadata-utils/src/main/java/com/linkedin/metadata/authorization/PoliciesConfig.java b/metadata-utils/src/main/java/com/linkedin/metadata/authorization/PoliciesConfig.java index ff740a4dfc0e0..06ac8b6f30716 100644 --- a/metadata-utils/src/main/java/com/linkedin/metadata/authorization/PoliciesConfig.java +++ b/metadata-utils/src/main/java/com/linkedin/metadata/authorization/PoliciesConfig.java @@ -147,7 +147,9 @@ public class PoliciesConfig { public static final Privilege MANAGE_CONNECTIONS_PRIVILEGE = Privilege.of( - "MANAGE_CONNECTIONS", "Manage Connections", "Manage connections to external platforms."); + "MANAGE_CONNECTIONS", + "Manage Connections", + "Manage connections to external DataHub platforms."); public static final List PLATFORM_PRIVILEGES = ImmutableList.of( @@ -263,7 +265,7 @@ public class PoliciesConfig { "The ability to edit any information about an entity. Super user privileges for the entity."); static final Privilege DELETE_ENTITY_PRIVILEGE = - Privilege.of("DELETE_ENTITY", "Delete", "The ability to delete the delete this entity."); + Privilege.of("DELETE_ENTITY", "Delete", "The ability to delete this entity."); static final Privilege EDIT_LINEAGE_PRIVILEGE = Privilege.of( @@ -411,7 +413,7 @@ public class PoliciesConfig { public static final Privilege RESTORE_INDICES_PRIVILEGE = Privilege.of( "RESTORE_INDICES_PRIVILEGE", - "Restore Indicies API", + "Restore Indices API", "The ability to use the Restore Indices API."); public static final Privilege GET_TIMESERIES_INDEX_SIZES_PRIVILEGE =