- Vadym Humeniuk - Resident Architect
- Datapunkt Platform
- Hits: 405
Security Priviledges in Datapunkt
Introduction
Watch the video to get an in-depth look at the role capabilities, capacities, and responsibilities, as well as the flexible management and administration of roles that you can use within Datapunkt.Predefined Roles for Seamless Access Control:
Datapunkt comes equipped with an array of predefined roles that are meticulously managed by the platform itself. These roles are crafted to remain updated as Datapunkt evolves over time, ensuring compatibility as you migrate across different versions.
However, it's advisable not to tamper with the permissions linked to each role, such as adding or removing permissions. Modifying role permissions could lead to synchronization issues, which can be rectified by running the superset init command, typically performed during version updates.
You can explore the detailed permissions associated with these roles in the table located at /RESOURCES/STANDARD_ROLES.md.
The following roles are integral to Datapunkt Superset's security model:
-
Admin Role: Admins wield comprehensive control, including the ability to grant or revoke rights from other users and manipulate their slices and dashboards.
-
Alpha Role: Alpha users enjoy access to all data sources. While they lack the authority to manage access for others, they can modify objects within their ownership. Alpha users are authorized to add and modify data sources.
-
Gamma Role: Gamma users possess limited access. They can consume data from sources granted to them through complementary roles. Their access is restricted to viewing slices and dashboards linked to their accessible data sources. Currently, Gamma users cannot create or alter data sources.
-
SQL Lab Role: The SQL Lab role grants users access to the SQL Lab feature. Notably, while Admin users automatically access all databases, both Alpha and Gamma users must be granted access on a database-by-database basis.
-
Public Role: The Public role extends access to certain features for logged-out users. To enable this, you can configure the PUBLIC_ROLE_LIKE setting and assign it to a role with permissions you wish to impart to the public role.
Managing Data Source Access for Gamma Roles:
To grant users access to specific datasets, follow these steps:
- Assign the Gamma role to users requiring limited access.
- Create a new role by navigating to Menu -> Security -> List Roles and clicking the + sign.
- Name the new role, associate it with users, and select tables from the Permissions dropdown. Search for table names using the typeahead feature.
- Confirm with Gamma role-assigned users that they can see objects linked to the extended data source access.
Customizing and Granular Permissions:
FAB's permissions are finely grained, allowing extensive customization. Datapunkt automatically generates numerous permissions for each model and view, such as can_add, can_delete, can_show, can_edit, and more. Additionally, Datapunkt can expose granular permissions like all_datasource_access.
While modifying the base roles isn't advised due to Datapunkt's underlying assumptions, you can craft your own roles and merge them with existing ones.
Exploring Categories of Permissions:
Datapunkt encompasses various categories of permissions, each serving a distinct purpose:
-
Model & Action: Model permissions pertain to entities like Dashboards, Slices, or Users. These encompass actions like can_edit, can_show, can_delete, can_list, and more. For instance, you can empower users to delete dashboards by adding can_delete to the Dashboard entity for a role assigned to them.
-
Views: Views correspond to specific web pages, such as the Explore view or SQL Lab view. Granting views to users enables them to access those pages and their associated functionalities.
-
Data Source: Every data source is assigned a permission. Users lacking all_datasource_access can only interact with data sources granted to them. This ensures that users can view and explore data from authorized sources.
-
Database: Providing database access allows users to interact with all data sources within that database. This enables users to query the database using SQL Lab, provided they possess the required SQL Lab permissions.
