Manage Roles¶
Roles allow you to define a set of permissions on data and then grant this set of access to groups. Read more about roles in Role-Based Access Control (RBAC).
The Roles page enables you to find roles and see their permissions on data. Users with specific access can also create, delete, and edit these roles and permissions.
Who Can Manage Roles?¶
The following table lists the permissions to perform the actions required to manage roles.
| Action on Roles | CATALOG (all roles) | ROLE |
|---|---|---|
| Ability to see roles page in UI | ALL CREATE_ROLE_AS_OWNER |
Any access level |
| Create Roles | ALL CREATE_ROLE_AS_OWNER |
|
| List Roles | ALL |
Any access level |
| Full administrative actions on a role | ALL |
ALL |
| Grant permissions to a role | ALL |
ALL MANAGE_PERMISSIONS also need WITH GRANT OPTION to grant on objects. |
| Manage groups assigned to a role | ALL |
ALL MANAGE_GROUPS |
Create and Edit Roles¶
Create a New Role¶
Only catalog admins can create roles.
Select 
to create a new role. The Create role dialog appears.
Specify a name for the role in the Role name box (this is required). Then, optionally, select groups in the Assigned groups box to assign groups to the role.
Notes: The maximum length of role names allowed in Okera is 128 characters.Group names that include blanks (white spaces) cannot be added to a role using the Okera UI. However, they can be added to a role using Workspace:
grant role <role> to group <group-name>.
Create a New Role and Group Using Workspace¶
To create a new role and assign a new group to it using Workspace, issue the following commands:
CREATE ROLE <new-role-name> ;
GRANT ROLE <new-role-name> TO GROUP <new-group-name>;
Substitute the name of your new role for <new-role-name> and the name of your new group for <new-group-name>.
For example:
CREATE ROLE SALES_MGR;
GRANT ROLE SALES_MGR TO GROUP MANAGERS_EAST;
Delete a Role¶
Only catalog admins can delete roles.
Select the role and review its details. Then select 
in the details section to delete the role.
Deleting a role revokes its access to data.
Add and Remove Groups From Roles¶
Only catalog admins can add and remove groups from roles.
Select the role and review its details. Then select in the details section. The Groups section expands:
To add a role, select it from the dropdown list in the Assigned groups box.
To remove a role, select the X to the left of its name in the box. Select 
to save your changes.
Note: Group names that include blanks (white spaces) cannot be added to a role using the Okera UI. However, they can be added to a role using Workspace:
grant role <role> to group <group-name>.
View and Manage Access¶
Grant Permissions to a Role¶
See Creating Permissions in the UI to learn how to add permissions to roles.
Filter the Role List by Group and User¶
In addition to searching for roles by role name, you can filter the role list by group and user.
Filtering by group shows you all roles assigned to that group. You can filter by multiple groups as well. To filter by group, select or specify the group name or group names in the middle filter box (All groups box) at the top of the Roles page:
Filtering by user shows you all roles assigned to groups containing that user (i.e. all roles that apply to the user). You can filter by multiple users as well. To filter by user, select or specify the user name or user names in the right filter box (All users box) at the top of the Roles page:
View and Manage Access for Roles¶
Grant Permissions¶
See Creating Permissions in the UI to learn how to add permissions to roles.
Check Access to Data¶
You can also check which roles have permissions for a given database or dataset. To do this, review the Permissions tab for the database or a dataset on the Data page. See Managing Permissions for Data.