Planning user groups and their access levels
User groups can be assigned access to datasets and projects and to all catalog resources. This section will help you plan the user groups for your organization.
Important
Note that ddw-catalog is a special system used dataset (available in all Enterprise organizations) and users and user groups who have Manage access to this dataset, automatically get authorized to manage the catalog resources of the organization.

For access to datasets and projects
Create user groups that have access to all datasets and projects in the organization. This way users in this group automatically get access to any new dataset or project that is added to the organization.
Table 1. Dataset and projects access assigned through user groupsAccess level
What the group can do
What notifications they get
No access
Cannot see any datasets and projects and cannot create them for the organization.
Exception: Discoverable datasets and projects can be viewed by everyone.
Receives notification when a new resource is shared with the organization.
Contribute
Can create new datasets and projects for the organization.
Can edit datasets and projects they created.
Receives notifications about access requests and comments on the datasets and projects they create.
Manage
Can manage access of other users to datasets and projects.
Can create, edit, delete all datasets and projects owned by the organization.
Can Add, edit, and delete connections from the Connection manager configuration settings available from the Settings tab of the Organization profile page.
Note: User groups with this access will not be able to manage the tasks for these connections. User groups need the Manage access to catalog resources to be able to manage the tasks for the configured connections.
Receives notifications about access requests, comments, and new datasets and projects added to the organization.
Create user groups and and assign them access to specific datasets and projects in the organization.
Don't add users to any groups and give them direct access to a specific datasets and projects. This is not a recommended approach as it creates a maintenance overhead especially when you are managing large numbers of users and resources. Also, when someone leaves a company, it is much easier to remove the user from the various groups instead of going to each resource and revoking their access.
Table 2. Dataset and projects access assigned through individual resourcesAccess level
What the individual or group of users can do
No access
Cannot see any datasets and projects and cannot create them for the organization.
Exception: Discoverable datasets and projects can be viewed by everyone.
Discover
Can view summary information and request access to the dataset or project.
View
Can view and suggest changes to the specific dataset/project they are given access to. Can download files, query the data and export results. Can participate in ongoing discussions or start new ones.
Edit
Can edit the specific dataset/project they have access to.
Manage
Manage access request to specific dataset/project and be able to delete the dataset/project.
For access to catalog resources
Create user groups and assign them following level of access to all catalog resources in the organization. This way users in this group will automatically get access to any new catalog resources that are added to the organization.
Access level
What the group can do
What notifications they get
No access
Users cannot view all catalog resources, glossary, collections. You can assign direct access to these user groups from the collection level.
None
View
Can view, suggest changes, and comment on all metadata resources, glossary, collections owned by the organization.
Receives notifications about changes they have suggested and comment threads they have participated in on metadata resources
Edit
View +
Can edit all metadata resources, glossary terms, collections.
Can create metadata resources and glossary terms. Cannot create new collections.
Receives notifications about suggested changes and comments on metadata resources.
Manage
Edit +
Can manage access to collections.
Can create and delete collections.
Can delete metadata resources and glossary terms.
Can create tasks for the connections available from the Connection manager configuration settings in the Settings tab of the Organization profile page.
Note: As a prerequisite, user groups need Manage access to datasets and projects to able to view the Connection manager configuration settings. As a result, user groups with this combined access will be able to manage the connections and the tasks for the connection.
Receives notifications about suggested changes, comments, and access requests on metadata resources.
Create user groups and assign them access to the specific collections in the organization.
Important
Note that when members are not given Edit or Manager access to catalog resources at the organization level and have access to specific collections only, they can only create the catalog resources from the Collections Details page and not from the Overview tab or the Resources or Glossary tab of the Organization Profile page.
Don't add users to any groups and give them direct access to specific collections. This is not a recommended approach as it creates a maintenance overhead especially when you are managing large numbers of users and resources. Also, when someone leaves a company, it is much easier to remove the user from the various groups instead of going to each resource and revoking their access.
Note
For more details about planning access control for collections, please see Planning collection & permissions for collections.
For managing organizations
A user group with the This group can manage organization settings, billing, and member groups access enabled will be able to manage organization settings available from the Settings tab of the Organization profile page, and members and member groups from the Members tab.
Important
Users need to have Manage access to Datasets and projects to manage the Connection Manager configuration available in the Settings tab. And, users need to have Manage access to Catalog resources to manage the tasks for the configured connections.
How do permissions work when users belong to more than one group?
When you belong to multiple groups, we aggregate the permissions and the highest level of permissions are honored.
Configuration | Results |
---|---|
A user belongs to two groups:
| Users in the Super admin group will be able to do the task as the highest level of access is honored. |
A user belongs to two groups:
| Users in the Sales group will still be able to view the catalog resources as the All members group has that permission. |
| Users in the Marketing group will be able to manage that specific dataset. |