Managing Roles¶
Roles allow you to define a set of permissions on data, and then grant this set of access to groups. Read more about roles on Role-based Access Control.
The Roles page enables you to find roles and see their permissions on data. Users with specific access can also create, delete, and edit these roles and permissions.
Who has access to manage roles?¶
Actions on roles by the access levels that give permission to perform that action:
| Action on roles | CATALOG (all roles) | ROLE |
|---|---|---|
| Ability to see roles page in UI | ALL CREATE_ROLE_AS_OWNER |
Any access level |
| Create Roles | ALL CREATE_ROLE_AS_OWNER |
|
| List Roles | ALL |
Any access level |
| Full administrative actions on a role | ALL |
ALL |
| Grant permissions to a role | ALL |
ALL MANAGE_PERMISSIONS also need WITH GRANT OPTION to grant on objects. |
| Manage groups assigned to a role | ALL |
ALL MANAGE_GROUPS |
Creating and Editing Roles¶
Creating a New Role¶
Only catalog admins can create roles.
Click the ‘Create new role’ button to create a role:
The only requirement for creating a role is to give it a name. You can also optionally assign groups to roles when you create them.
Deleting a Role¶
Only catalog admins can delete roles.
Click the ‘Delete role’ button to delete a role:
Note that deleting a role will revoke this role’s access to data.
Adding and Removing Groups from Roles¶
Only catalog admins can add and remove groups from roles.
Click the ‘Edit groups’ button to add or remove groups from a role:
Viewing and Managing Access¶
Granting Permissions to a Role¶
See Creating policies in the UI to learn how to add permissions to roles.
Filtering by Group and User¶
In addition to searching for roles by name, you may also filter by group and user.
Filtering by group will show you all roles assigned to that group:
Filtering by user will show you all roles assigned to groups containing that user (i.e. all roles that apply to this user):
Groups that contain the user you have filtered on will be indicated in bold pink text as shown in the image above.
You can also look up a specific user on the Users page to see which roles and groups they are assigned to.
Checking Access to Data¶
You can also check which roles have permissions on a given data object by going to the Data page and looking at the data object's Permissions tab. To learn more, see Permissions on the Data page.