Planning user groups and their access levels

User groups can be assigned different levels of access to datasets and projects, and to the catalog. Also, different levels of permissions can be granted directly to individual resources. This section will help you plan the user groups for your organization.

Important

Note that ddw-catalog is a special system used dataset (available in all Enterprise organizations) and users and user groups who have Manage access to this dataset, automatically get authorized to manage the catalog resources of the organization.

For access to datasets and projects

You can create a user group and assign different access levels to all datasets and projects within the organization. This approach ensures that users in this group automatically inherit permission rules for any new dataset or project added to the organization.

Table 1. Permissions for Datasets and projects

Permissions granted by access level	Access levels
Permissions granted by access level	No Access	Contribute	Manage
Brief summary of permissions	Cannot view datasets and projects resources	Can create new datasets and projects for the organization	Can edit and delete all datasets and projects. Can add, modify, and remove members
Can receive notifications	Receives notification when a new resource is shared with the organization	Receives notifications about access requests and comments on the datasets and projects they create	Receives notifications about access requests, comments, and new datasets and projects added to the organization
Can view any dataset or project in the organization	- Exception: Discoverable datasets and projects can be viewed by everyone.	-	✅
Can manage any dataset or project in the organization	-	-	✅
Can propose new datasets or projects for the organization for review by admins	✅ ️⃣ ️⃣ IF: The organization has enabled proposals	-	-
Can accept proposed datasets or projects	-	-	✅
Can create new private datasets or projects in the organization	-	✅	✅
Can create new public datasets or projects in the organization	-	✅	✅
Can manage the datasets and projects in the organization that they have created	✅ ️⃣ ️⃣ UNLESS: Their access to the dataset or project is removed or they are removed from the organization	✅ ️⃣ ️⃣ UNLESS: Their access to the dataset or project is removed or they are removed from the organization	✅ ️⃣ ️⃣ UNLESS: They are removed from the organization

Table 2. Permissions for Connections and integrations

Permissions granted by access level	Access levels
Permissions granted by access level	No Access	Contribute	Manage
Brief summary of permissions	Cannot view datasets and projects resources	Can create new datasets and projects for the organization	Can edit and delete all datasets and projects. Can add, modify, and remove members
Can manage connections and integrations for use in organization datasets	-	-	✅
Can manage connection tasks to sync metadata for the organization catalog	-	-	✅ ️⃣ ️⃣ IF: They also have Manage access to catalog resources

You can also grant access directly from the individual resource to users, groups, or the organization. This method allows you to manage the permissions of the specific resource efficiently.

Table 3. Permissions for Details, discussions, and settings

Permissions granted by access level	Access levels
Permissions granted by access level	Discover	View	Edit	Manage
Brief summary of permissions	Can view summary information and request access to this dataset	Can only view this dataset	Can edit this dataset	Can edit and delete this dataset, edit and remove members
Can view dataset and project summary	✅	✅	✅	✅
Can view all discussions on the dataset and project	✅	✅	✅	✅
Can comment on discussions in the dataset and project	✅	✅	✅	✅
Can edit dataset and project summary	-	-	✅	✅
Can manage dataset and project file sync and caching settings	-	-	✅	✅
Can manage dataset and project webhooks	-	-	✅	✅
Can manage dataset and project visibility	-	-	-	✅ ️⃣ ️⃣ UNLESS: Organization has disabled open datasets and projects
Can delete dataset and project	-	-	-	✅

Table 4. Permissions for Members

Permissions granted by access level	Access levels
Permissions granted by access level	Discover	View	Edit	Manage
Brief summary of permissions	Can view summary information and request access to this dataset	Can only view this dataset	Can edit this dataset	Can edit and delete this dataset, edit and remove members
Can view who else has access to the dataset	✅	✅	✅	✅
Can request access to dataset and project	✅	-	-	-
Can approve access requests to dataset and project	-	-	-	✅
Can invite, edit, and remove other members' level of access to the dataset	-	-	-	✅
Can invite non-organization members to the dataset	-	-	-	✅ ️⃣ ️⃣ UNLESS: The organization has disabled guest authorizations

Table 5. Permissions for Files and data

Permissions granted by access level	Access levels
Permissions granted by access level	Discover	View	Edit	Manage
Brief summary of permissions	Can view summary information and request access to this dataset	Can only view this dataset	Can edit this dataset	Can edit and delete this dataset, edit and remove members
Can view all files and queries in dataset and project	-	✅	✅	✅
Can view activity and version history for the dataset and project	-	✅	✅	✅
Can view data from organization-level connections	-	✅	✅	✅
Can download all files in the dataset and project	-	✅	✅	✅
Can upload new files to dataset and project	-	-	✅	✅
Can delete existing files and data sources from the dataset and project	-	-	✅	✅
Can add data to dataset and project from organization-level connections	-	-	-	✅

Table 6. Permissions for Workspace and queries

Permissions granted by access level	Access levels
Permissions granted by access level	Discover	View	Edit	Manage
Brief summary of permissions	Can view summary information and request access to this dataset	Can only view this dataset	Can edit this dataset	Can edit and delete this dataset, edit and remove members
Can view the workspace for the dataset and project	-	✅	✅	✅
Can view shared queries for the dataset and project	-	✅	✅	✅
Can create and edit own private queries against the dataset and project data	-	✅	✅	✅
Can create and edit shared queries for the dataset and project	-	-	✅	✅
Can view other members' private queries for the dataset and project	-	-	-	-

Table 7. Permissions for Insights

Permissions granted by access level	Access levels
Permissions granted by access level	Discover	View	Edit	Manage
Brief summary of permissions	Can view summary information and request access to this dataset	Can only view this dataset	Can edit this dataset	Can edit and delete this dataset, edit and remove members
Can view all insights for the project	-	✅	✅	✅
Can create new insights for the project	-	-	✅	✅
Can edit existing insights for the project	-	-	✅	✅

Note

Don't add users to any groups and give them direct access to a specific datasets and projects. This is not a recommended approach as it creates a maintenance overhead especially when you are managing large numbers of users and resources. Also, when someone leaves a company, it is much easier to remove the user from the various groups instead of going to each resource and revoking their access.

For access to catalog resources

Create user groups and assign them following level of access to all catalog resources in the organization. This way users in this group will automatically inherit access to any new catalog resources that are added to the organization.

Table 8. Permissions for Metadata Resources and Terms

Permissions granted by access level	Access levels
Permissions granted by access level	No Access	View	Edit	Manage
Brief summary of permissions	Cannot view any metadata resources, terms, and collections	Can view all metadata resources, terms, and collections	Can create and edit all metadata resources and terms. Can edit all collections and approve suggested changes	Can create, delete and edit all metadata resources, terms, and collections. Can manage member access and perform catalog sync tasks
Can receive notifications	-	Receives notifications about changes they have suggested and comment threads they have participated in on metadata resources	Receives notifications about suggested changes and comments on metadata resources	Receives notifications about suggested changes, comments, and access requests on metadata resources
Can view any resource in the organization	-	✅	✅	✅
Can suggest changes to any resource in the organization	-	✅	-	-
Can approve changes for any resource in the organization	-	-	✅	✅
Can edit any existing resource in the organization	-	-	✅	✅
Can edit a forward relationship on any resource in the organization	-	-	✅	✅
Can edit a backward relationship on any resource in the organization	-	-	✅	✅
Can delete any resource in the organization	-	-	-	✅
Can create a new resource on the organization main profile page	-	-	✅	✅
Can create a new resource from any collection page in the organization	-	-	✅	✅
Can bulk edit any resources in the organization	-	-	✅	✅

Table 9. Permissions for Collections

Permissions granted by access level	Access levels
Permissions granted by access level	No Access	View	Edit	Manage
Brief summary of permissions	Cannot view all metadata resources, terms, and collections	Can view all metadata resources, terms, and collections	Can create and edit all metadata resources and terms. Can edit all collections and approve suggested changes	Can create, delete and edit all metadata resources, terms, and collections. Can manage member access and perform catalog sync tasks
Can view any collection in the organization	-	✅	✅	✅
Can suggest changes to the metadata of any collection in the organization	-	✅	-	-
Can suggest changes to the hierarchy (parent collection) of any collection in the organization	-	-	-	-
Can approve suggested metadata changes for any collection in the organization	-	-	✅	✅
Can edit metadata for any collection in the organization	-	-	✅	✅
Can edit the hierarchy (parent collection) of any collection in the organization	-	-	-	✅
Can delete any collection in the organization	-	-	-	✅
Can create a new collection in the organization	-	-	-	✅
Can create a new subcollection for any collection in the organization	-	-	-	✅
Can manage access to any collection in the organization	-	-	-	✅

Table 10. Permissions for Metadata profile

Permissions granted by access level	Access levels
Permissions granted by access level	No Access	View	Edit	Manage
Brief summary of permissions	Cannot view all metadata resources, terms, and collections	Can view all metadata resources, terms, and collections	Can create and edit all metadata resources and terms. Can edit all collections and approve suggested changes	Can create, delete and edit all metadata resources, terms, and collections. Can manage member access and perform catalog sync tasks
Can view the metadata profile configuration	-	-	-	-
Can edit the metadata profile configuration	-	-	-	-
Can manage connection tasks to sync metadata for the organization catalog	-	-	-	✅ ️⃣ ️⃣ IF: They can also manage datasets and projects access
Can create tasks for the connections available from the Connection manager configuration settings in the Settings tab of the Organization profile page.	-	-	-	✅ ️⃣ ️⃣ Note: As a prerequisite, user groups need Manage access to datasets and projects to able to view the Connection manager configuration settings. As a result, user groups with this combined access will be able to manage the connections and the tasks for the connection.

You can also grant access to users, groups, or the organization directly from the individual catalog resource. This approach enables you to manage the permissions of the specific collection effectively.

Important

Note that when members are not given Edit or Manager access to catalog resources at the organization level and have access to specific collections only, they can only create the catalog resources from the Collections Details page and not from the Overview tab or the Resources or Glossary tab of the Organization Profile page.

Note

If the access level is not set, members cannot search for or navigate to the resource, and the resource does not exist for the member.

If members have access to the collection through organization level or parent collection level settings, they will be able to access the collection.

Table 11. Permissions for Metadata Resources and Terms

Permissions granted by access level	Access levels
Permissions granted by access level	View	Edit	Manage
Brief summary of permissions	Can view this collection, its resources, terms, and subcollections	Can edit this collection, its resources, terms, and subcollections. Can create resources and terms in this collection. Can approve suggested changes	Can edit and delete this collection. Can create, delete, and edit collection resources, terms and subcollections. Can manage member access to the collection
Can view any resource in this collection or its subcollections	✅	✅	✅
Can suggest changes to any resource in this collection or its subcollections	✅	-	-
Can approve changes for any resource in this collection or its subcollections	-	✅	✅
Can edit any existing resource in this collection or its subcollections	-	✅	✅
Can edit a forward relationship on any resource in this collection or its subcollections	-	✅	✅
Can edit a backward relationship on any resource in this collection or its subcollections	-	✅ ️⃣ ️⃣ IF: They can also edit the target resource that owns the forward relationship	✅ ️⃣ ️⃣ IF: They can also edit the target resource that owns the forward relationship
Can create a new resource for this collection or its subcollections from the organization profile page	-	-	-
Can create a new resource for this collection or its subcollections from the collection pages	-	✅	✅
Can bulk edit any resources in this collection or its subcollections	-	✅	✅
Can delete any resource in this collection or its subcollections	-	-	✅

Table 12. Permissions for Collections

Permissions granted by access level	Access levels
Permissions granted by access level	View	Edit	Manage
Brief summary of permissions	Can view this collection, its resources, terms, and subcollections	Can edit this collection, its resources, terms, and subcollections. Can create resources and terms in this collection. Can approve suggested changes	Can edit and delete this collection. Can create, delete, and edit collection resources, terms and subcollections. Can manage member access to the collection
Can view this collection and its subcollections	✅	✅	✅
Can suggest changes to the metadata of this collection and its subcollections	✅	-	-
Can suggest changes to the hierarchy (collection parent) of this collection or its subcollections	-	-	-
Can approve suggested metadata changes for this collection or its subcollections	-	✅	✅
Can edit metadata for this collection or its subcollections	-	✅	✅
Can edit the hierarchy (parent collection) of this collection or its subcollections	-	-	✅ ️⃣ ️⃣ IF: They can also manage the new parent collection
Can delete this collection or its subcollections	-	-	✅
Can create a new collection with no parent	-	-	-
Can create a new subcollection for this collection or its subcollections	-	-	✅
Can grant access to this collection or its subcollections	-	-	✅

Note

Don't add users to any groups and give them direct access to specific collections. This is not a recommended approach as it creates a maintenance overhead especially when you are managing large numbers of users and resources. Also, when someone leaves a company, it is much easier to remove the user from the various groups instead of going to each resource and revoking their access.

For more details about planning access control for collections, please see Planning collection & permissions for collections.

For managing organizations

A user group with the This group can manage organization settings, billing, and member groups access enabled will be able to manage organization settings available from the Settings tab of the Organization profile page, members and member groups from the Members tab.

Table 13. Permissions for Members

Permissions granted by access level	Access levels
Permissions granted by access level	No Access	Manage
Brief summary of permissions	-	This group can manage organization settings, billing, and member groups
Can view all members in the organization	✅	✅
Can view default organization-wide access granted to all members	✅	✅
Can manage default organization-wide access granted to all members	-	✅
Can view organization-wide access granted to any member in the organization	✅	✅
Can manage organization-wide access granted to any member in the organization	-	✅
Can view direct access granted to any member for any resources or collections in the organization	-	✅
Can manage direct access granted to any member for any resources or collections in the organization	-	✅
Can remove any member from the organization	-	✅
Can invite members to the organization	-	✅
Can accept membership requests to the organization	-	✅
Can accept membership invitations on behalf of the organization	-	✅

Table 14. Permissions for Groups

Permissions granted by access level	Access levels
Permissions granted by access level	No Access	Manage
Brief summary of permissions	-	This group can manage organization settings, billing, and member groups
Can view all groups and their members in the organization	✅	✅
Can view organization-wide access granted to any group in the organization	✅	✅
Can manage organization-wide access granted to any group in the organization	-	✅
Can view direct access granted to any group for any resources or collections in the organization	-	✅
Can manage direct access, granted to any group, for any resources or collections in the organization	-	✅
Can view direct access granted to any member for any resources or collections in the organization	-	✅
Can add and remove any member from any group in the organization	-	✅
Can remove any member from the organization	-	✅
Can create new groups in the organization	-	✅
Can delete any existing groups in the organization	-	✅

Table 15. Permissions for Settings

Permissions granted by access level	Access levels
Permissions granted by access level	No Access	Manage
Brief summary of permissions	-	This group can manage organization settings, billing, and member groups.
Can view the organization profile including name, description, details, and photo	✅	✅
Can edit the organization profile including name, description, details, and photo	-	✅
Can manage organization general preferences	-	✅
Can manage organization webhooks	-	✅
Can manage security and SAML single sign-on configuration	-	✅ ️⃣ ️⃣ IF: SAML is enabled for the organization.
Can manage organization subscription and billing	-	✅

Important

Users need to have Manage access to Datasets and projects to manage the Connection Manager configuration available in the Settings tab. And, users need to have Manage access to Catalog resources to manage the tasks for the configured connections.

How do permissions work when users belong to more than one group?

When you belong to multiple groups, we aggregate the permissions and the highest level of permissions are honored.

Table 16. A few examples to show you how permissions work

Configuration	Results
A user belongs to two groups: Super admins group is given permission to administer users and settings of the organization. All members group is not allowed to do the task.	Users in the Super admin group will be able to do the task as the highest level of access is honored.
A user belongs to two groups: Sale group is set to not have access to the catalog resources. All members group is allowed to view all catalog resources.	Users in the Sales group will still be able to view the catalog resources as the All members group has that permission.
User belongs to Marketing group that is set to not have access to Dataset and project in the organization. You give the Marketing group Manage access to a specific dataset directly.	Users in the Marketing group will be able to manage that specific dataset.

In this section:

Planning user groups and their access levels

Important

For access to datasets and projects

Note

For access to catalog resources

Important

Note

Note

For managing organizations

Important

How do permissions work when users belong to more than one group?

Search results