Skip to main content

Documentation

Planning user groups and their access levels

User groups can be assigned access to datasets and projects and to all catalog resources. This section will help you plan the user groups for your organization.

Important

Note that ddw-catalog is a special system used dataset (available in all Enterprise organizations) and users and user groups who have Manage access to this dataset, automatically get authorized to manage the catalog resources of the organization.

group_access.png
For access to datasets and projects
  1. Create user groups that have access to all datasets and projects in the organization. This way users in this group automatically get access to any new dataset or project that is added to the organization.

    Table 1. Dataset and projects access assigned through user groups

    Access level

    What the group can do

    What notifications they get

    No access

    • Cannot see any datasets and projects and cannot create them for the organization.

    Exception: Discoverable datasets and projects can be viewed by everyone.

    Receives notification when a new resource is shared with the organization.

    Contribute

    • Can create new datasets and projects for the organization.

    • Can edit datasets and projects they created.

    Receives notifications about access requests and comments on the datasets and projects they create.

    Manage

    • Can manage access of other users to datasets and projects.

    • Can create, edit, delete all datasets and projects owned by the organization.

    • Can Add, edit, and delete connections from the Connection manager configuration settings available from the Settings tab of the Organization profile page.

      Note: User groups with this access will not be able to manage the tasks for these connections. User groups need the Manage access to catalog resources to be able to manage the tasks for the configured connections.

    Receives notifications about access requests, comments, and new datasets and projects added to the organization.



  2. Create user groups and don't assign any access to them. Then go to the specific datasets and projects and give user groups access to the specific resource.

  3. Don't add users to any groups and give them direct access to a specific datasets and projects. This is not a recommended approach as it creates a maintenance overhead especially when you are managing large numbers of users and resources. Also, when someone leaves a company, it is much easier to remove the user from the various groups instead of going to each resource and revoking their access.

    Table 2. Dataset and projects access assigned through individual resources

    Access level

    What the individual or group of users can do

    No access

    Cannot see any datasets and projects and cannot create them for the organization.

    Exception: Discoverable datasets and projects can be viewed by everyone.

    Discover

    Can view summary information and request access to the dataset or project.

    View

    Can view and suggest changes to the specific dataset/project they are given access to. Can download files, query the data and export results. Can participate in ongoing discussions or start new ones.

    Edit

    Can edit the specific dataset/project they have access to.

    Manage

    Manage access request to specific dataset/project and be able to delete the dataset/project.



For access to catalog resources
  1. Create user groups and assign them following level of access to all catalog resources in the organization. This way users in this group will automatically get access to any new catalog resources that are added to the organization.

    Access level

    What the group can do

    What notifications they get

    No access

    Users cannot view the catalog resources.

    None

    View

    Can view, suggest changes, and comment on all metadata resources owned by the organization.

    Receives notifications about changes they have suggested and comment threads they have participated in on metadata resources

    Edit

    View +

    • Can edit all metadata resources.

    • Can create, edit, and delete analysis, glossary items, and collections.

    Receives notifications about suggested changes and comments on metadata resources.

    Manage

    Edit +

    • Can manage access to collections.

    • Can create tasks for the connections available from the Connection manager configuration settings in the Settings tab of the Organization profile page.

      Note: As a prerequisite, user groups need Manage access to datasets and projects to able to view the Connection manager configuration settings. As a result, user groups with this combined access will be able to manage the connections and the tasks for the connection.

    Receives notifications about suggested changes, comments, and access requests on metadata resources.

  2. Create user groups and don't assign any access to them. Then go to the specific collection and give the user groups access to the specific collection.

    Important

    Note that when members are not given Edit or Manager access to catalog resources at the organization level and have access to specific collections only, they can only create the catalog resources from the Collections Details page and not from the Overview tab or the Resources or Glossary tab of the Organization Profile page.

  3. Don't add users to any groups and give them direct access to specific collections. This is not a recommended approach as it creates a maintenance overhead especially when you are managing large numbers of users and resources. Also, when someone leaves a company, it is much easier to remove the user from the various groups instead of going to each resource and revoking their access.

Note

For more details about planning access control for collections, please see Planning collection & permissions for collections.

For managing organizations

A user group with the This group can manage organization settings, billing, and member groups access enabled will be able to manage organization settings available from the Settings tab of the Organization profile page, and members and member groups from the Members tab.

Important

Users need to have Manage access to Datasets and projects to manage the Connection Manager configuration available in the Settings tab. And, users need to have Manage access to Catalog resources to manage the tasks for the configured connections.

How do permissions work when users belong to more than one group?

When you belong to multiple groups, we aggregate the permissions and the highest level of permissions are honored.

Table 3. A few examples to show you how permissions work

Configuration

Results

A user belong to two groups:

  • Super admins group is given permission to administer users and settings of the organization.

  • All members group is not allowed to do the task.

Users in the Super admin group will be able to do the task as the highest level of access is honored.

A user belong to two groups:

  • Sale group is set to not have access to the catalog resources.

  • All members group is allowed to view all catalog resources.

Users in the Sales group will still be able to view the catalog resources as the All members group has that permission.

  • User belongs to Marketing group that is set to not have access to Dataset and project in the organization.

  • You give the Marketing group Manage access to a specific dataset directly.

Users in the Marketing group will be able to manage that specific dataset.