Role Templates¶
Okera provides role templates to assist you in creating Okera roles that map to roles used by your authentication software. When you create a role using a role template, Okera automatically generates the SQL required to assign groups and create permissions for the new role based on your template specifications.
Note: At this time, role templates can only be used by Okera system or catalog admins. All other users will see the traditional workflow when creating roles.
Specifically, Okera provides templates for data stewards, tag managers, compliance auditors, and data custodians. When you create a template in the UI, you are presented with the following dialog.
The role template types are listed on the left side of the dialog. When you select a type, the right side of the dialog shows what you need to specify to create a role of that template type. Fields with asterisks next to their names are required.
The first type, Custom role, is provided so you can create your own role, without using a role template. The rest of this topic describes the other provided template types. For information on creating a role using a template, see Create Roles.
Note: Remember that the
adminuser is also a user role and has access to all objects. See System Administrators for more information.
Data Steward Template¶
Okera defines a data steward as a user who is responsible for the quality and protection of your data.
The data steward template requires a unique role name for the role definition and information about:
- The groups to which the role is assigned.
- The databases (datasets are included) the role can manage. If permission is granted for databases, at least one database must be selected.
- The unstructured files (URIs) the role can manage. If permission is granted for unstructured files, at least one URI must be specified. Use the
button to add more than one URI. - Role creation.
- Role maintenance. If permission is granted for role maintenance, at least one role must be selected.
- Crawler creation and dataset registration.
- Tag management. If permission is granted for tag management, at least one namespace must be selected.
Depending on your selection and input, the following SQL commands are generated when a role is created using this template:
| Permission selected | SQL Command |
|---|---|
| Assigned groups (groups selected) | GRANT ROLE <data_steward_role_name> to GROUP <selected_group>; |
| Can manage access to databases (databases selected) | GRANT ALL ON DATABASE '<selected_database>' TO ROLE '<data_steward_role_name>' WITH GRANT OPTION; |
| Can manage access to files (URI file paths specified) | GRANT ALL ON URI '<URI file path>' to '<data_steward_role_name>'; |
| Can create roles | GRANT CREATE_ROLE_AS_OWNER ON CATALOG to '<data_steward_role_name>'; |
| Can manage existing defined roles (roles selected) | GRANT ALL on '<selected_role_name>' to '<data_steward_role_name>'; |
| Can create crawlers and register datasets | GRANT CREATE_CRAWLER_AS_OWNER ON CATALOG to '<data_steward_role_name>'; |
| Can manage tags within defined namespaces (tag namespaces selected) | GRANT ALL ON ATTRIBUTE_NAMESPACE '<namespace_name>' to '<data_steward_role_name>' |
Tag Manager Template¶
Okera defines a tag manager as a user who is responsible for defining and maintaining your data classification system.
The tag manager template requires a unique role name for the role definition and information about:
- The groups to which the role is assigned.
- Tag namespace maintenance. If permission is granted for tag namespace management, at least one namespace must be selected.
Depending on your selection and input, the following SQL commands are generated when a role is created using this template:
| Permission selected | SQL Command |
|---|---|
| Assigned groups (groups selected) | GRANT ROLE <tag_manager_role_name> to GROUP <selected_group>; |
| Can manage specific namespaces and tags (tag namespaces selected) | GRANT ALL ON ATTRIBUTE_NAMESPACE '<namespace_name>' to '<tag_manager_role_name>'; |
Compliance Auditor Template¶
Okera defines a compliance auditor as a user who is responsible for auditing your data and ensuring it complies with relevant regulations.
The compliance auditor template requires a unique role name for the role definition and the following information:
- The groups to which the role is assigned.
- Whether the compliance auditor can view audit logs, insights, and reporting.
- Whether the compliance auditor can view reporting logs.
- Whether the compliance auditor can view the
daily_reportinglogs.
Depending on your selection and input, the following SQL commands are generated when a role is created using this template:
| Permission selected | SQL Command |
|---|---|
| Assigned groups (groups selected) | GRANT ROLE <compliance_auditor_role_name> to GROUP <selected_group>; |
| Can view audit logs and insights page | GRANT VIEW_AUDIT on CATALOG to '<compliance_auditor_role_name>'; |
| Can view reporting logs | GRANT SELECT ON TABLE 'okera_system.reporting_audit_logs' to '<compliance_auditor_role_name>'; |
| Can view daily_reporting logs | GRANT SELECT on 'okera_system.daily_reporting_audit_logs' to '<compliance_auditor_role_name>'; |
Data Custodian Template¶
Okera defines a data custodian as a user who is responsible for data registration and crawler management. Note that your data stewards can be set up to do this as well.
The data custodian template requires a unique role name for the role definition and the information about:
- The groups to which the role is assigned.
- Data object updates.
- Data connection creation.
- Data connection maintenance. If permission is granted for connection maintenance, at least one connection must be selected.
- Unstructured file URI maintenance. If permission is granted for URI maintenance, at least one URI must be selected. Use the button to add more than one URI.
- Crawler creation.
Depending on your selection and input, the following SQL commands are generated when a role is created using this template:
| Permission selected | SQL Command |
|---|---|
| Assigned groups (groups selected) | GRANT ROLE <data_custodian_role_name> to GROUP <selected_group>; |
| Can update data objects | GRANT UPDATE ON CATALOG TO ROLE '<data_custodian_role_name>'; |
| Can manage one or more connections (connections selected) | GRANT ALL ON DATACONNECTION '<selected_connection>' TO ROLE '<data_custodian_role_name>'; |
| Can create new connections | GRANT CREATE_DATACONNECTIOn_AS_OWNER ON CATALOG to '<data_custodian_role_name>'; |
| Can manage access to files (URI file paths specified) | GRANT ALL ON URI '<URI file path>' TO '<data_custodian_role_name>'; |
| Can create new crawlers | GRANT CREATE_CRAWLER_AS_OWNER ON CATALOG to '<data_custodian_role_name>'; |