Permissions in the Data Product Marketplace¶
Alation Cloud Service Applies to Alation Cloud Service instances of Alation
Overview¶
Permissions in the Data Products Marketplace (DPM) are scoped to the following levels:
App-Level Roles and Permissions : Controls system-wide settings and governance.
Marketplace-Level Roles and Permissions : Controls a single marketplace.
Data Product-Level Roles and Permissions : Controls an individual data product.
Each level uses roles to assign permissions, and these roles are hierarchical - higher roles include all permissions of the roles below them.
Only App Administrators can manage app-wide settings and reassign ownership of marketplaces or data products. Marketplace- and product-level roles must be granted by someone who already holds an admin role for that specific scope.
You must understand the difference between roles and permissions in Alation:
Roles are bundles of permissions assigned to users or groups.
Permissions are the actual actions a user can take (Example, product:update or marketplace:view).
Each user can have one role per scope (app, marketplace, data product). Roles at each level define what the user can do in that context.
Similarly, in Alation, licenses and roles are separate but both must be satisfied:
Licenses (Example, Viewer, Creator) determine what features are available to a user.
Roles determine what actions the user is authorized to take within the DPM app.
Example:
A user must have a Creator license and be assigned a Marketplace Publisher role to publish a data product.
A user with the Product Admin role still can’t make changes unless they also have a license that allows access to the Data Product feature.
Default Role Assignment¶
Action |
Default Role |
---|---|
Create a Marketplace |
Marketplace Admin |
Create a Data Product |
Product Admin |
Use the Marketplace |
Marketplace Viewer |
Use the App |
Viewer (minimal) |
App-level Admins can take over or reassign any resource if needed.
Role Hierarchies and Permission Scope¶
Permissions are scoped to each object and assigned independently. A user can be a Viewer in one marketplace, Admin in another, and have no access at all to a different one.
Each level has its own role structure.
App-Level Roles and Permissions¶
App-level roles govern the entire DPM application.
Role |
Permissions |
Default |
License Required |
---|---|---|---|
Admin |
Manages roles, delete marketplaces or data products manage settings |
Alation Server Admins |
Creator |
User |
Creates marketplaces and data products |
Everyone |
Creator |
Viewer |
Views content (read-only access) |
Everyone |
Viewer |
App-level permissions are as follows:
Permission |
Description |
---|---|
|
Manages roles for any resource |
|
Deletes any marketplace |
|
Deletes any data product |
|
Sets global DPM configuration |
|
Creates a new marketplace |
|
Creates a new data product |
Marketplace-Level Roles and Permissions¶
Marketplace roles control what users can perform within a single marketplace.
The follwoing table lists the roles and permissions available at the marketplace level:
Role |
Permissions |
Default |
License Required |
---|---|---|---|
Admin |
Full control (update, delete,assign roles) settings |
Creator of the marketplace |
Creator |
Maintainer |
Approve or unlist data products |
None |
Creator |
Product Manager |
View marketplace usage data |
None |
Creator |
Publisher |
Request data product listing |
None |
Creator |
Viewer |
View and search data products |
None |
Viewer |
Marketplace-level permissions are as follows:
Permission |
Description |
---|---|
|
Edits marketplace metadata, standards, and settings |
|
Deletes any marketplace |
|
Approves data product listing |
|
Removes data product from marketplace |
|
Assigns marketplace roles |
|
Views high-level marketplace usage stats |
|
Views detailed event logs |
|
Requests to list a data product |
|
Searches and browse data products in the marketplace |
Data Product-Level Roles and Permissions¶
Product roles are assigned per data product, independently of the marketplace.
Role |
Permissions |
Default |
License Required |
---|---|---|---|
Admin |
Full control over data product spec, versions, permissions settings |
Creator of the data product |
Creator |
Viewer |
View the data product outside of any marketplace |
Everyone |
Viewer |
Product-level permissions are as follows:
Permission |
Description |
---|---|
|
Assigns roles for the data product |
|
Edits the data product YAML |
|
Deletes the data product |
|
Views data product usage events |
|
Views data product usage statistics |
|
Views data product metadata |
Note
Marketplace visibility overrides data product visibility. If a data product is listed, any marketplace viewer can view it even if they don’t have product-level permissions.
Take Over a Marketplace or Data Product¶
Only Data Products Marketplace App Admins can change system-wide settings like the default marketplace.
Admin can reassign ownership if needed.