Tutorial | Govern roles and permissions#
Get started#
This tutorial demonstrates how to configure roles and permissions in Dataiku Govern. You’ll start with simple configurations and gradually explore more advanced examples, including blueprint-specific permissions and role inheritance.
Caution
This tutorial is intended for beginners working on a newly installed instance of Dataiku Govern. Any prior modifications to default roles and permissions may result in conflicts or unexpected behavior.
Objectives#
By completing this tutorial, you will:
Use standard roles included with Dataiku Govern.
Assign roles and permissions to a user and a group.
Apply Role Assignment Rules for standard and custom roles.
Configure blueprint-specific and inherited permissions.
Prerequisites#
To complete this tutorial, you’ll need:
A newly installed Dataiku Govern instance (version 12.0 or later).
A Full Designer or Governance Manager profile.
Administrator privileges.
Note
Blueprints are part of the Advanced Dataiku Govern license. Familiarity with blueprints is helpful to complete this tutorial. See Introduction to Blueprint Designer for more information.
Create a group#
Before dealing with roles and permissions, create some placeholder users and groups to practice on.
From the waffle (
) menu of the Design node, select Administration.In the left menu, click Security.
Switch to the Groups tab of the panel and select + New Group.
Name the group
Data_Scientist_YOURINITIALSand click Save. Note that group names must be unique.
From the Launchpad, select Users, Profiles & Groups.
Open the Groups and Permissions tab.
Click + New Group.
Name the group
Data_Scientist_YOURINITIALSand put a short description.Make sure Govern node is selected under Node Availability.
Click Next.
Under Govern permissions, select the Govern Manager checkbox.
Confirm to save your new group.
Create a user#
Next, create a new user and add them to the Data Scientist group.
Go to the Users tab and select +New User.
In the Login field, create a unique ID for your test user.
In the Display name field, type
Academy User, or something more identifiable.Select your Data Scientist group in the Groups dropdown.
Choose your own password for this user.
Click Save.
Return to the Users tab and select + Invite Users.
Under Users, create an alias for your own email by adding a + to it: example+@gmail.com
Under Groups, select your Data Scientist group from the dropdown.
Click Send Invites.
You will find a link to sign up in your email. Follow the steps to sign up to activate your new user!
Important
You must sign up using a username and password, rather than single sign-on (SSO). If you don’t see the page to sign up, make sure you are logged out of your own Dataiku Cloud account.
Once you have activated the new user, log out and sign back in to your administrator account.
In the Overview panel, click Open Instance on your Govern node.
Now begin to assign some roles and permissions!
Assign a default role#
In this section, you’ll assign the standard Reader role. This role only grants Read permissions by default, so users won’t be able to create, edit, or delete anything.
Switch to the Govern node by clicking Dataiku Govern from the waffle () menu, and configure roles and permissions.
From the waffle (
) menu, select Roles & Permissions.Navigate to Blueprint-specific settings in the left menu and select Business initiative.
Click Create a Role Assignment Rule.
Configure this role assignment rule to assign the Reader role to your user.
Select Reader in the Assign role field.
In the To users field, find and select your new user.
Click Create.
In the Permissions tab, make sure that the Reader role has read permissions.
Note
Because Business initiatives are at the top of the Govern item hierarchy, role assignment rules for Business initiatives are inherited by Govern projects, models, model versions, and bundles. Permissions themselves aren’t inherited and must be configured separately if needed.
To understand role assignments better, visit the section defining role assignments of the reference documentation.
Create and assign a new custom role#
Dataiku Govern also lets you configure new roles and permissions beyond the built-in standards. Create a new role with specific permissions for your Data Scientist group.
In this case, we want the Data Scientist group to only be able to:
Read Govern projects
Read and write Govern bundles
Read related Dataiku objects
Read deployment information
This means that we will have to create role assignment rules for the following blueprints:
Blueprint |
Permissions |
|---|---|
Business initiative |
– |
Dataiku project |
Read |
Govern project |
Read |
Dataiku saved model |
– |
Govern model |
– |
Dataiku saved model version |
– |
Govern model version |
– |
Dataiku bundle |
Read |
Govern bundle |
Read and Write |
Project deployer deployment |
Read |
Project deployer infrastructure |
Read |
API deployer deployment |
– |
API deployer infrastructure |
– |
Note
If a user isn’t associated to a role assignment rule for a certain blueprint, they will have no permissions for that blueprint. They won’t be able to access it in any way.
Create a custom role#
Create a new role to demonstrate custom role configuration.
Open the Roles tab in the left menu and click + New Role.
Name the role
Data Scientist YOURINITIALS. The ID field will populate automatically.Click Create.
Note
Multiple roles can have the same name, but IDs must be unique.
Review default permissions#
Now, take a look at the default permissions for your new role.
Switch to the Default permissions tab.
Verify that the new role has read-only access by default.
Assign the custom role to a group#
Now you can assign your new role to the Data Scientist group. Do this by configuring the blueprint-specific settings relevant to your requirements.
Navigate to the Blueprint-specific settings tab from the left menu.
Open Dataiku project and click Create a Role Assignment Rule.
Select the Data Scientist role under Assign role.
Choose the Data Scientist group under And/or to groups.
Click Create to save this rule.
This assigns the Data Scientist role to the Data Scientist group for Dataiku projects. The assignment itself is inherited by related blueprints, but the permissions for the role must still be explicitly defined in each blueprint.
Configure blueprint-specific permissions#
Next, configure the permissions in our blueprint-specific settings.
In the same blueprint, open the Permissions tab and click Edit.
In your Data Scientist row, check the Read boxes under Artifact permissions and Field permissions.
Save your changes.
Repeat these steps to apply rules and read permissions to the following blueprints:
Govern project
Project deployer deployment
Project deployer infrastructure
Define permissions for inherited rules#
Because we just created role assignment rules for the Govern project blueprint and the Dataiku project blueprint, those rules were inherited by other blueprints. Let’s add permissions on a couple of blueprints for the inherited rules.
From the Blueprint-specific settings tab, open Dataiku bundle.
Switch to the Permissions tab and click Edit.
In your Data Scientist row, check the Read boxes under Artifact, blueprint and blueprint version permissions and Field permissions.
Click Save.
Now apply read and write permissions on Govern bundles.
From the Blueprint-specific settings tab, open Govern bundle.
Switch to the Permissions tab and click Edit.
In your Data Scientist row, check the Read and Write boxes under Artifact, blueprint and blueprint version permissions and Field permissions.
Click Save.
Nice work! You have successfully assigned a new role with custom permissions. At this point, your user should have the Data Scientist roles and permissions because they’re part of the Data Scientist group.
Next steps#
In this tutorial, you created a group and a user, assigned the standard Reader role, and built a custom role with blueprint-specific permissions.
Next, try testing inheritance by assigning rules to higher-level blueprints and observing how they propagate. You can also create roles for other profiles, such as Project Managers or Reviewers, and experiment with field-level permissions for sensitive data.
See also
Refer to the reference documentation for complete technical details.
For examples of managing Govern roles and permissions programmatically, see the Developer Guide.