Tutorial | Govern roles and permissions#

Get started#

This tutorial demonstrates how to configure roles and permissions in Dataiku Govern. You’ll start with simple configurations and gradually explore more advanced examples, including blueprint-specific permissions and role inheritance.

Caution

This tutorial is intended for beginners working on a newly installed instance of Dataiku Govern. Any prior modifications to default roles and permissions may result in conflicts or unexpected behavior.

Objectives#

By completing this tutorial, you will:

  • Use standard roles included with Dataiku Govern.

  • Assign roles and permissions to a user and a group.

  • Apply Role Assignment Rules for standard and custom roles.

  • Configure blueprint-specific and inherited permissions.

Prerequisites#

To complete this tutorial, you’ll need:

  • A newly installed Dataiku Govern instance (version 12.0 or later).

  • A Full Designer or Governance Manager profile.

  • Administrator privileges.

Note

Blueprints are part of the Advanced Dataiku Govern license. Familiarity with blueprints is helpful to complete this tutorial. See Introduction to Blueprint Designer for more information.

Create a group#

Before dealing with roles and permissions, create some placeholder users and groups to practice on.

  1. From the waffle (Waffle icon.) menu of the Design node, select Administration.

  2. In the left menu, click Security.

  3. Switch to the Groups tab of the panel and select + New Group.

  4. Name the group Data_Scientist_YOURINITIALS and click Save. Note that group names must be unique.

Create a user#

Next, create a new user and add them to the Data Scientist group.

  1. Go to the Users tab and select +New User.

  2. In the Login field, create a unique ID for your test user.

  3. In the Display name field, type Academy User, or something more identifiable.

  4. Select your Data Scientist group in the Groups dropdown.

  5. Choose your own password for this user.

  6. Click Save.

Now begin to assign some roles and permissions!

Assign a default role#

In this section, you’ll assign the standard Reader role. This role only grants Read permissions by default, so users won’t be able to create, edit, or delete anything.

Switch to the Govern node by clicking Dataiku Govern from the waffle (Waffle icon.) menu, and configure roles and permissions.

  1. From the waffle (Waffle icon.) menu, select Roles & Permissions.

  2. Navigate to Blueprint-specific settings in the left menu and select Business initiative.

  3. Click Create a Role Assignment Rule.

A Dataiku Govern screenshot showing the Create a Role Assignment Rule button in the user interface.

Configure this role assignment rule to assign the Reader role to your user.

  1. Select Reader in the Assign role field.

  2. In the To users field, find and select your new user.

  3. Click Create.

  4. In the Permissions tab, make sure that the Reader role has read permissions.

A Dataiku Govern screenshot showing the Reader rule configuration in the dialogue box.

Note

Because business initiatives are at the top of the Govern item hierarchy, role assignment rules for Business Initiatives are inherited by Govern projects, models, model versions, and bundles. Permissions themselves aren’t inherited and must be configured separately if needed.

To understand role assignments better, visit the section defining role assignments of the reference documentation.

Create and assign a new custom role#

Dataiku Govern also lets you configure new roles and permissions beyond the built-in standards. Create a new role with specific permissions for your Data Scientist group.

In this case, we want the Data Scientist group to only be able to:

  • Read Govern projects

  • Read and write Govern bundles

  • Read related Dataiku objects

  • Read deployment information

This means that we will have to create role assignment rules for the following blueprints:

Blueprint

Permissions

Business initiative

Dataiku project

Read

Govern project

Read

Dataiku saved model

Govern model

Dataiku saved model version

Govern model version

Dataiku bundle

Read

Govern bundle

Read and Write

Project deployer deployment

Read

Project deployer infrastructure

Read

API deployer deployment

API deployer infrastructure

Note

If a user isn’t associated to a role assignment rule for a certain blueprint, they will have no permissions for that blueprint. They won’t be able to access it in any way.

Create a custom role#

Create a new role to demonstrate custom role configuration.

  1. Open the Roles tab in the left menu and click + New Role.

  2. Name the role Data Scientist YOURINITIALS. The ID field will populate automatically.

  3. Click Create.

A Dataiku Govern screenshot showing the New role dialogue.

Note

Multiple roles can have the same name, but IDs must be unique.

Review default permissions#

Now, take a look at the default permissions for your new role.

  1. Switch to the Default permissions tab.

  2. Verify that the new role has read-only access by default.

A Dataiku Govern screenshot highlighting default permissions for the Data Scientist role.

Assign the custom role to a group#

Now you can assign your new role to the Data Scientist group. Do this by configuring the blueprint-specific settings relevant to your requirements.

  1. Navigate to the Blueprint-specific settings tab from the left menu.

  2. Open Dataiku project and click Create a Role Assignment Rule.

  3. Select the Data Scientist role under Assign role.

  4. Choose the Data Scientist group under And/or to groups.

  5. Click Create to save this rule.

A Dataiku Govern screenshot of the new rule for the Data Scientist role.

This assigns the Data Scientist role to the Data Scientist group for Dataiku projects. The assignment itself is inherited by related blueprints, but the permissions for the role must still be explicitly defined in each blueprint.

Configure blueprint-specific permissions#

Next, configure the permissions in our blueprint-specific settings.

  1. In the same blueprint, open the Permissions tab and click Edit.

  2. In your Data Scientist row, check the Read boxes under Artifact permissions and Field permissions.

  3. Save your changes.

Repeat these steps to apply rules and read permissions to the following blueprints:

  • Govern project

  • Project deployer deployment

  • Project deployer infrastructure

Define permissions for inherited rules#

Because we just created role assignment rules for the Govern project blueprint and the Dataiku project blueprint, those rules were inherited by other blueprints. Let’s add permissions on a couple of blueprints for the inherited rules.

  1. From the Blueprint-specific settings tab, open Dataiku bundle.

  2. Switch to the Permissions tab and click Edit.

  3. In your Data Scientist row, check the Read boxes under Artifact, blueprint and blueprint version permissions and Field permissions.

  4. Click Save.

A Dataiku Govern screenshot showing the Dataiku bundle blueprint-specific permissions.

Now apply read and write permissions on Govern bundles.

  1. From the Blueprint-specific settings tab, open Govern bundle.

  2. Switch to the Permissions tab and click Edit.

  3. In your Data Scientist row, check the Read and Write boxes under Artifact, blueprint and blueprint version permissions and Field permissions.

  4. Click Save.

A Dataiku Govern screenshot showing the Govern bundle blueprint-specific permissions.

Nice work! You have successfully assigned a new role with custom permissions. At this point, your user should have the Data Scientist roles and permissions because they’re part of the Data Scientist group.

Next steps#

In this tutorial, you created a group and a user, assigned the standard Reader role, and built a custom role with blueprint-specific permissions.

Next, try testing inheritance by assigning rules to higher-level blueprints and observing how they propagate. You can also create roles for other profiles, such as Project Managers or Reviewers, and experiment with field-level permissions for sensitive data.

See also

Refer to the reference documentation for complete technical details.

For examples of managing Govern roles and permissions programmatically, see the Developer Guide.