Managing Roles in the UI
The Roles page enables you to find roles, check which groups and users are assigned to them, and view their permissions on data. Users with specific access can also create, delete, and edit these roles and permissions.
Only catalog admins or users who have been assigned the role ‘okera_policy_management_role' can access the Roles page.
Roles¶
Understanding Roles¶
Roles enable you to define specific access to data and grant this access to groups.
A role has several components:
- A role name
- A list of groups assigned to the role
- A list of permissions detailing what data these groups can access, and what kind of access they have
Creating a New Role¶
Only catalog admins can create roles.
Click the ‘Create new role’ button to create a role:
The only requirement for creating a role is to give it a name. Role names may not contain spaces.
Granting Permissions to a Role¶
See Creating policies in the UI to learn how to add permissions to roles.
Deleting a Role¶
Only catalog admins can delete roles.
Click the ‘Delete role’ button to delete a role:
Note that deleting a role will revoke this role’s access to data.
Groups, Users, and Data¶
Adding and Removing Groups from Roles¶
Only catalog admins can add and remove groups from roles.
Use the ‘+’ and ‘-’ buttons next to the Groups list to add and remove groups respectively:
Note: Ensure that you spell group names correctly when adding as there are currently no checks in place to prevent misspelled group names.
Filtering by Group and User¶
In addition to searching for roles by name, you may also filter by group and user.
Filtering by group will show you all roles assigned to that group:
Filtering by user will show you all roles assigned to groups containing that user (i.e. all roles that apply to this user):
Groups that contain the user you have filtered on will be indicated in bold pink text as shown in the image above.
You can also look up a specific user on the Users page to see which roles and groups they are assigned to.
Checking Access to Data¶
You can additionally use the right-hand section of the filter bar to check which roles have access to specific data:
If you select a dataset from this filter, the Roles page will display…
- All roles with permissions on this dataset
- All roles with permissions on the database containing this dataset
- All roles with catalog-level permissions, as they have access to all data
If you select a database from this filter, the Roles page will display…
- All roles with permissions on this database
- All roles with permissions on datasets within this database
- All roles with catalog-level permissions, as they have access to all data
If you select the ‘Catalog’ checkbox, the Roles page will display…
- Only roles with catalog-level permissions
You can also check which roles have permissions on a given data object by going to the Data page and looking at the data object's Permissions tab. To learn more, see Permissions on the Data page.