Skip to content

Managing access to UI features

In general, users will get access to most UI features based on their permissions on related objects. For example users who have access to create and manage any ROLE object will see the roles page in the UI.

These UI features may require additional configuration:

  • Reports Page
  • Users Page
  • Workspace

Admins can control access to these UI features by granting groups access to the special feature access roles – e.g. okera_reports_role, or by granting access to certain system views e.g. okera_system.ui_reports. These system views do not contain any data, their sole purpose is to control access to UI features.

Access to Reports

To grant access to the Reports page, simply grant the okera_reports_role to any groups that need access to the Reports feature.

GRANT ROLE okera_reports_role to GROUP marketing_stewards;

For more advanced role customization, you can also enable access to reporting by granting a role access to both the internal okera_system.ui_reports view as well as the okera_system.reporting_audit_logs view, so that they can query the underlying audit logs.

GRANT SELECT ON TABLE okera_system.ui_reports to ROLE steward;
GRANT SELECT ON TABLE okera_system.reporting_audit_logs to ROLE steward;


Users will still need to have SELECT access on some datasets to actually see reports for those datasets.

Access to Users

To grant access to the Users page, simply grant the okera_user_details_role to any users or groups that need access.

GRANT ROLE okera_user_details_role to GROUP marketing_stewards;

Access to Workspace

By default, access to the Okera Workspace will be granted to all users (it is granted to `okera_public_role').

If you wish to limit access to Workspace only to specific users:

  1. Revoke access to Workspace by removing it okera_public_role. You can do this from the Roles UI or by running the DDL:
REVOKE SELECT ON TABLE okera_system.ui_workspace from ROLE okera_public_role;
  1. Edit your cluster configuration, and set the value of GRANT_WORKSPACE_TO_PUBLIC_ROLE to false.

You can then grant the okera_workspace_role to any specific groups or users that you want to have access to the workspace feature.