Skip to content

View and Manage Permissions in the UI

This topic describes how to view and manage permissions.

Who Can View Data Permissions?

  • Users who have the Include ability to grant option selected (WITH GRANT OPTION) on data objects can view data permissions.
  • Users who have any level of access to manage a specific ROLE object can see all permissions granted to that role. They will not be able to edit permissions unless they have theInclude ability to grant option selected (WITH GRANT OPTION) for the data on which the permission grants access.

View Permissions

The Permissions table lists the data to which a role has access and identifies the type of access they have.

You can see the Permissions table on:

  • The role details pane on the Roles page
  • The Permissions tab on the Data page for a database or a dataset.
Permissions table

This table has several columns:

  • Enabled: Indicates whether the permission is enabled or disabled. See Disable Permissions and Enable Permissions.
  • Access: The privilege level granted by the permission. To learn more, see Privileges.
  • Scope: The granularity of data to which the permission applies (for example, catalog, database, table, or column).
  • Object: The specific data object (database, dataset, URI, etc.) to which the permission applies. Selecting the name of a database, table, or column opens its details in a new tab.
  • Conditions: Any access conditions that have been applied to this permission to further filter access. See Adding Access Conditions.
  • Warnings: Shows the upcoming start and end times of permissions and indicates whether any permission conflicts exist. See Set Time-Based Conditions and Permission Conflicts.

Permission Conflicts

Attempting to create a new permission may sometimes generate a conflict with other permissions, as indicated by the following warning:

Conflict error

You may also see permission conflicts indicated with a yellow warning icon () on existing roles:

Conflict on role

Such conflict warnings indicate that there are two or more permissions assigned the same role that contradict each other or are redundant. The reasons that a conflict can occur are:

  • Overlapping scope: Two or more permissions affect the same role and data but at different scopes. For example, one permission grants a role access to a database but another permission grants this role access to a table within that database. Okera recommends that one of these permissions be deleted.

  • Conflicting access level: Two or more permissions affect the same role and data but grant access levels that contradict each other. For example, one permission grants a role SELECT access to data but another permission grants this role ALL access to the same data. Okera recommends that one of these permissions be deleted.

  • Conflicting conditions: Two or more permissions affect the same role and data but have access conditions that contradict each other. For example, one permission grants a role access to all data in a table but another permission only grants this role access to certain tagged data in the same table. Okera recommends that one of these permissions be deleted.

  • Potential conflicting conditions: Two or more permissions affect the same role and data, and have access conditions that do not explicitly contradict each other, but should preferably be combined into a single permission. For example, one permission grants a role access to a table and masks certain tagged data and another permission grants this role access to the same table and masks different tagged data. Okera recommends consolidating these two permissions into one.

If you attempt to create a new permission and get a conflict warning, you can still create the conflicting permission, but the role will be flagged as having conflicts.

When a role has conflicting permissions, the Conflicts column appears in the Permissions table. Select *View Conflicts in this column to see conflict details for a given permission. You must edit or delete conflicting permissions to resolve the conflicts.

Edit Permissions

Only catalog administrators and users with the ability to grant access for the relevant data objects can edit permissions.

Select the edit icon () at the end of a permission’s row to edit it.

Edit permission icon

This opens the permissions dialog and allows you to update the permission.

For some permissions, the edit icon may be disabled. This is due to one of the following restrictions:

  • You cannot edit permissions on specific data objects if you do not have the ability to grant on that data object.

  • You cannot edit permissions with a scope of Column because this scope is currently unavailable in the Add Permission dialog.

  • If you are viewing permissions on the Data page, you can only edit permissions that apply directly to the data object you are viewing. For example, if you are on the Permissions tab of a dataset, you can only edit permissions on that dataset, even though permissions on the catalog or on the relevant database may also appear.

  • You cannot edit permissions with invalid combinations of access conditions, as described in Adding Multiple Access Conditions.

Delete Permissions

Only catalog administrators and users with the ability to grant access for the relevant data objects can delete permissions.

Select the delete icon () at the end of a permission’s row to delete it.

Delete permission icon

Deleting a permission revokes any access granted by the permission for the role.

Disable Permissions

Permissions are enabled by default after they are created for a role. If you decide you no longer need a permission, you can disable it instead of removing it from the role. You can easily enable it again later.

To disable a permission:

  1. Locate the permission in the Permissions list and select the edit icon () at the end of its row in the list. The Edit Permission dialog appears.

  2. Slide the Enabled toggle to the left (gray) to disable the permission.

    Enable/disable permission toggle

  3. Select to disable the permission. When a permision is disabled, it is still assigned to the role, but it is not enforced.

    Disabled permissions are grayed out in permission lists, as shown in this example:

    Disabled permissions in list

Enable Permissions

You can enable permissions that have been disabled. By default, permissions are enabled when they are created. When disabled, a permission is not enforced; after a permission is reenabled, it is enforced again.

To enable a permission:

  1. Locate the disabled permission in the Permissions list and select the edit icon () at the end of its row in the list. The Edit Permission dialog appears.

  2. Slide the Enabled toggle to the right (blue) to enable the permission.

    Enable/disable permission toggle

  3. Select to enable the permission. When a permision is enabled, it is enforced.