Reference | Global vs. per-resource group permissions#

There are two types of group permissions: global and per-resource.


All permissions are cumulative. Users in a group are granted all of the group permissions, even if they are also a member of a group that doesn’t have the same permissions. Dataiku does not have negative permissions.

Group permissions#

A group is a configurable collection of users, such as administrators or data-team. Users can belong to an arbitrary number of groups for which their permissions become cumulative. The administrator assigns global permissions for each group. The administrator can choose to map permissions for a group locally or through LDAP.

An example of mapping group permissions through LDAP.

Per-resource permissions#

Once groups are configured, the administrator grants per-resource group permissions.

While groups have permissions at the instance level, the administrator can assign permissions to specific groups at the resource level.

Resources are elements where the administrator might want to manage security, including projects, code environments, managed clusters, containerized execution, and infrastructure elements of the Deployer.

Permissions are specific to a resource and differ between resource types. For example, whether or not a group can edit a project is configurable at the project level.

Per-resource group permissions include the following:

  • Projects: How to assign per-project permissions.

  • Code environments: How to limit who has access to a code environment.

  • Managed clusters: How to assign owner and group permissions to use, operate, and manage Kubernetes clusters running on the major cloud providers.

  • Containerized execution: How to restrict which user groups have the right to use a specific Kubernetes execution configuration.

  • Infrastructure elements of the Deployer: How to grant group permissions with certain privileges. In this section, we’ll show you how to grant group access with view, deploy, and admin permissions on the API deployer for Published API Services and Infrastructures.