Concept | Govern roles and permissions#
Roles and permissions define how users can interact with Dataiku Govern. While there are a standard set of roles and permissions by default, there are also many ways to build and customize these settings. To help you understand these changes, this article takes you through three steps:
Define role assignments
These settings can be found under Roles and Permissions in the Applications menu.
Roles are labels assigned to users that capture a set of permissions. The name of the role should relate to the type of user that is assigned that role. For instance, someone with the Project Manager role should have a job related to project management.
Standard roles included in Dataiku Govern already have specific default permissions associated with them. Let’s look at how to change default permissions next.
Permissions let you choose exactly what information, or data, your users are allowed to access and manipulate. In Dataiku Govern, there are four main types of permissions to consider:
Additionally, there is an Admin permission that will automatically grant Create, Read, Write, and Delete permissions.
Sometimes, defining permissions is easy. Let’s say you only had two roles defined: Consumer and Administrator. In this case, you could decide that throughout the application, Consumers only have Read permissions and that Administrators have Create, Read, Write, and Delete permissions. This is a valid configuration, but real-life use cases are rarely that simple.
This is why we have both Default permissions and Blueprint-specific settings in Dataiku Govern. Blueprint-specific settings allow you to change permissions according to the type of data a user wants to access.
For example, imagine that you are creating a Data Scientist role that should at minimum have Read permissions on each page in Dataiku Govern. However, you also want users with this role to be able to edit Govern Models. You would need to navigate to the Govern model blueprint to add write permissions.
For even greater precision, you can also edit permissions for specific fields in a Blueprint.
Define Role Assignments#
Now that you know what roles are and how to define permissions, you have to assign these roles to certain users. In other words, you must give these sets of permissions to certain users in order for them to take effect.
In Dataiku Govern, roles are assigned at a Blueprint-specific level. These assignments are implemented by Role Assignment Rules. A role is activated for a user only when a rule is created and only for that Blueprint according to certain criteria, with the exception of inheritance.
Inheritance allows the role assignment rules from one Blueprint or Artifact to apply to another Blueprint or Artifact, respectively. This is based on the hierarchical organization of Dataiku objects. However, you have the choice to inherit rules or not.
While role assignment rules can be inherited, permissions are not inherited. Thus, permissions must be specified on each blueprint where you want to grant access.
Within the Roles and Permissions settings, you are able to:
Create new roles
Change default and Blueprint-specific settings to define permissions for roles
Assign roles to users based on Blueprint or certain criteria
For more technical specifications, visit our reference documentation on Govern Security.