Tutorial | Govern roles and permissions#
Let’s learn how to set up roles and permissions in Dataiku Govern. This tutorial will start with simple configurations and become more complex as it goes on.
Caution
This tutorial is for beginners working on a newly installed instance of Dataiku Govern. Any prior modifications to the default roles and permissions may result in conflicts or unexpected behavior in this tutorial.
Objectives#
In this tutorial, you will:
Utilize standard roles that are included with Dataiku Govern.
Associate roles and permissions to a user and a group.
Apply rules associated with standard roles.
Create and assign new roles with specific permissions.
Prerequisites#
To complete this tutorial, you will need:
A newly installed Dataiku Govern instance (version 12.0 or later).
Administrator privileges.
Note
This tutorial includes discussion of blueprints, which are an Advanced Dataiku Govern license feature. Still, standard users still must be familiar with blueprints to complete this tutorial. For information about blueprints, please refer to our reference documentation on advanced definitions.
Get started#
Before we start working with roles and permissions, we’ll need to create some placeholder users and groups to practice on.
Create a group#
From the Applications menu, select Administration.
In the left menu, click Security.
Switch to the Groups tab of the panel and select + New Group.
Name the group
Data_Scientist_YOURINITIALS
and click Create. Note that group names must be unique.
From the Launchpad, select Users, Profiles & Groups.
Open the Groups and Permissions tab.
Click + New Group.
Name the group
Data_Scientist_YOURINITIALS
.Make sure Govern node is selected under Node Availability.
Click Next.
Under Govern permissions, select the Govern Manager checkbox.
Confirm to save your new group.
Create a user#
Next, we’ll create a new user and add them to the Data Scientist group.
Return to the Users tab and select +New User.
In the Login field, create a unique ID for your test user.
In the Display name field, type
Academy User
, or something more identifiable.Select your Data Scientist group in the Groups dropdown.
Choose your own password for this user.
Click Create.
Return to the Users tab and select + Invite Users.
Under Users, create an alias for your own email by adding a + to it: example+@gmail.com
Under Groups, select your Data Scientist group from the dropdown.
Click Send Invites.
You will find a link to sign up in your email. Follow the steps to sign up to activate your new user!
Important
You must sign up using a username and password, rather than single sign-on (SSO). If you don’t see the page to sign up, make sure you are logged out of your own Dataiku Cloud account.
Once you have activated the new user, log out and sign back in to your administrator account.
In the Overview panel, click Open Instance on your Govern Node.
Now we can begin to assign some roles and permissions!
Assign a default role#
In this section, we will assign the standard Reader role to a user. This role only grants Read permissions by default, so users won’t be able to create, edit, or delete anything.
From the Applications menu, select Roles & Permissions.
Navigate to Blueprint-specific settings in the left menu and select Business initiative.
Click Create a Role Assignment Rule.
Let’s configure this role assignment rule to assign the Reader role to your user.
Select Reader in the Assign role field.
In the To users field, find and select your new user.
Click Create.
In the Permissions tab, make sure that the Reader role has read permissions.
With this rule in place, your user will have read permissions for business initiatives. Because business initiatives are at the top of the Govern item hierarchy, this rule will be inherited by Govern projects, models, model versions, and bundles as well. To see a visual schema of artifacts, visit this article on governance layers.
Inheritance#
While role assignment rules are inherited, permissions are not. To add read permissions to all Govern artifacts, you can navigate to the permissions tab in each Blueprint-specific setting. We’ll skip this for now.
Note
To understand role assignments better, read or review this section on defining role assignments.
To see the results of this role assignment, you can either log in to your test user profile and play around, or you can watch our video here:
Create and assign a new custom role#
Dataiku Govern also lets you configure new roles and permissions beyond the built-in standards. Let’s create a new role with specific permissions for your Data Scientist group.
In this case, we want the Data Scientist group to only be able to:
Read Govern projects
Read and write Govern bundles
Read related Dataiku objects
Read deployment information
This means that we will have to create role assignment rules for the following blueprints:
Blueprint |
Permissions |
---|---|
Business initiative |
– |
Dataiku project |
Read |
Govern project |
Read |
Dataiku saved model |
– |
Govern model |
– |
Dataiku saved model version |
– |
Govern model version |
– |
Dataiku bundle |
Read |
Govern bundle |
Read and Write |
Project deployer deployment |
Read |
Project deployer infrastructure |
Read |
API deployer deployment |
– |
API deployer infrastructure |
– |
Note
If a user is not associated to a role assignment rule for a certain blueprint, they will have no permissions for that blueprint and will not be able to access it in any way.
Create the custom role#
Let’s create this new role.
Select the Roles tab in the left menu and click + New Role.
Type
Data Scientist YOURINITIALS
in the name field. The ID field will automatically populate.Click Create.
Note
Multiple roles can have the same name, but IDs must be unique.
Review role permissions#
Now, take a look at the default permissions for your new role.
Switch to the Default permissions tab in the left menu.
Find the new role in the table. Notice that the default permission is read-only.
Assign the new role to a group#
Now you can assign your new role to the Data Scientist group. Let’s do this by configuring the blueprint-specific settings relevant to your requirements.
Navigate to the Blueprint-specific settings tab from the left menu.
Open Dataiku project and click Create a Role Assignment Rule.
Select the Data Scientist role under Assign role.
Choose the Data Scientist group under And/or to groups.
Click Create to save this rule.
This assigns the Data Scientist role to the group Data Scientist for Dataiku projects and other blueprints by inheritance. Remember that permissions are not inherited.
Define blueprint-specific permissions#
Next, we’ll configure the permissions in our blueprint-specific settings.
In the Permissions tab, select Edit.
In your Data Scientist row, check the Read boxes under Artifact, blueprint and blueprint version permissions and Field permissions.
Save your changes.
Repeat steps 1-3 in this section to apply rules and read permissions to the following blueprints:
Govern project
Project deployer deployment
Project deployer infrastructure
Define permissions for inherited rules#
Because we just created role assignment rules for the Govern project blueprint and the Dataiku project blueprint, those rules were inherited by other blueprints. Let’s add permissions on a couple of blueprints for the inherited rules.
From the Blueprint-specific settings tab, open Dataiku bundle.
Switch to the Permissions tab and click Edit.
In your Data Scientist row, check the Read boxes under Artifact, blueprint and blueprint version permissions and Field permissions.
Click Save.
Now we’ll apply read and write permissions on Govern bundles.
From the Blueprint-specific settings tab, open Govern bundle.
Switch to the Permissions tab and click Edit.
In your Data Scientist row, check the Read and Write boxes under Artifact, blueprint and blueprint version permissions and Field permissions.
Click Save.
Nice work! You have successfully assigned a new role with custom permissions. At this point, your user should have the Data Scientist roles and permissions because they are part of the Data Scientist group.
See the results of this assignment for your user: