Access Delegation

Okera has many access levels that can be used to delegate various data management tasks down to other users. This doc contains some example scenarios on how to delegate data management permissions as per a "distributed stewardship" model. In this model distributed data stewards have as much autonomy as possible in managing access to data in their domain, but do not have access to manage data in other domains.

You can choose to customize these delegated permissions however you want, depending on the personas within your organization.

The examples below show the permissions programatically, however you create all these permissions using the policy builder on the roles page.

Who Can Delegate Permissions?

Only System Admins can delegate CATALOG level permissions to other roles.

What Is Ownership? (AS_OWNER)

You will note the AS_OWNER postfix on some of the object access levels. This enables users to create those objects in the catalog and automatically be granted ownership (i.e. ALL) permission on the new object they have created.

Only the specific user that created that object will get ALL access on the object, not all users with the role. You can view the ownership permissions a particular user has by searching for their username on the Roles page.

Note: CREATE_AS_OWNER on Catalog scope does not cascade to all databases. You will not be able to create datasets inside databases you have not created. Depending on the scope (CATALOG or DATABASE) users will only ever have ownership privileges on the databases or tables that they have created, and not on objects created by other users.