Managing Roles in the UI

The Roles page enables you to find roles, check which groups and users are assigned to them, and view their permissions on data. Users with specific access can also create, delete, and edit these roles and permissions.

Only catalog admins or users who have been assigned the role ‘okera_policy_management_role' can access the Roles page.

Okera Roles page

Roles

Understanding Roles

Roles enable you to define specific access to data and grant this access to groups.

A role has several components:

  • A role name
  • A list of groups assigned to the role
  • A list of permissions detailing what data these groups can access, and what kind of access they have

Role details pane

Creating a New Role

Only catalog admins can create roles.

Click the ‘Create new role’ button to create a role:

Create role button

The only requirement for creating a role is to give it a name. Role names may not contain spaces.

Granting Permissions to a Role

See Creating policies in the UI to learn how to add permissions to roles.

Deleting a Role

Only catalog admins can delete roles.

Click the ‘Delete role’ button to delete a role:

Delete role button

Note that deleting a role will revoke this role’s access to data.

Groups, Users, and Data

Adding and Removing Groups from Roles

Only catalog admins can add and remove groups from roles.

Use the ‘+’ and ‘-’ buttons next to the Groups list to add and remove groups respectively:

Add or remove groups

Note: Ensure that you spell group names correctly when adding as there are currently no checks in place to prevent misspelled group names.

Filtering by Group and User

In addition to searching for roles by name, you may also filter by group and user.

Filtering by group will show you all roles assigned to that group:

Filter by group

Filtering by user will show you all roles assigned to groups containing that user (i.e. all roles that apply to this user):

Filter by user

Groups that contain the user you have filtered on will be indicated in bold pink text as shown in the image above.

You can also look up a specific user on the Users page to see which roles and groups they are assigned to.

Checking Access to Data

You can additionally use the right-hand section of the filter bar to check which roles have access to specific data:

Check access to data

If you select a dataset from this filter, the Roles page will display…

  • All roles with permissions on this dataset
  • All roles with permissions on the database containing this dataset
  • All roles with catalog-level permissions, as they have access to all data

If you select a database from this filter, the Roles page will display…

  • All roles with permissions on this database
  • All roles with permissions on datasets within this database
  • All roles with catalog-level permissions, as they have access to all data

If you select the ‘Catalog’ checkbox, the Roles page will display…

  • Only roles with catalog-level permissions

You can also check which roles have permissions on a given data object by going to the Data page and looking at the data object's Permissions tab. To learn more, see Permissions on the Data page.

Dataset permissions tab