User roles and permissions in Data Catalog

Data Catalog includes a set of default user roles to assign role-based access to users. That access can be fine tuned with communities.

A community is a custom role used to fine-tune access to specific actions or Data Catalog assets. For example, you can use a community to restrict access for a group of users to a subset of glossaries and data sources.

At least one role or community must be assigned to a user when the user is created. Multiple roles or communities can be assigned to a user, if the permissions granted are mutually exclusive and are not derived from the same default role.

Note: Your software license determines user-based entitlement. There are two tiers of users:

• Business Users

  • Business User

  • Data User

• Expert Users

  • Data Steward

  • Business Steward

  • Admin

  • Data Developer

  • Data Storage Administrator

See Default user roles and permissions for details on the permissions for users in each tier. Contact your sales representative if you have questions about this feature.

Default user roles and permissions

Data Catalog provides default user roles with role-based permissions that enable administrators to control access as necessary across Data Catalog. These permissions are distributed across two tiers of licensed users: Business Users, and Expert Users, as needed. Administrators can also fine-tune access by creating communities of users to which they assign permissions, such as access to specific data source types or business glossaries.

All users can comment on, rate, and be notified of changes to assets to which they have access. The following tables outline the permissions that are available in the tiered default roles. You can customize the permissions for a user by defining a community with greater or more restrictive permissions and then adding the user to that community. See the Add a community topic under the Manage Users section in Administer Pentaho Data Catalog.

For example, using a community, an administrator can grant or deny access to specific assets, such as business glossaries or data connections.

Business Users

The first tier of licensed users is Business Users, including two roles with differing permissions.

The following table shows the default access permitted for a user with the Business User or Data User role. For example, a user with the Business User role can view business glossaries but cannot view data sources. The Data User role has all the access of a Business User, plus access to data associated with the user's specific line of business.

Note: The data can be masked when deemed sensitive or confidential.

Expert Users

The second tier of licensed users is Expert Users, which include four roles with differing permissions.

Note: Your license limits the number of Expert Users to whom you can assign a Data Catalog role. When the number of your allowed Expert Users reaches 75% of the limit allowed by your license agreement, you see a warning message. You also receive a message if you have exceeded the quota.

The following table shows the default access permitted for a user with the Business Steward, Data Steward, Admin, or Data Developer role. The Business Steward role does not have as much access as the Data Steward role. For example, a user with the Business Steward role can view data sources, but cannot create or update them. A user with the Admin role is the only user that can manage users and permissions. An Admin user can view data sources, but cannot view or create business rules. Similarly, the Data Storage Administrator role is designed for users responsible for monitoring and managing storage utilization across data sources, folders, and schemas, providing visibility into used capacity, data temperature attributes, applied business terms and tags, and duplicate file analysis.

Data Catalog permission types and actions

The following table shows the Data Catalog features or permission types and actions that you can fine tune using a community. General access to the actions for each feature is determined by the user role, but you can allow or restrict additional permissions with the following Permissions table when you edit a community.

For example, there is a ViewSamples action for data sources that users with the Data Steward role have by default, that allows them to view sample data for profiled columns. If you select the Data Steward role as the base role when creating a community, you can assign other users to the community, allowing users with other roles to view data samples.

The following image shows a partial view of the default permissions for the Data Steward role. Checkboxes that are grayed out cannot be selected.

Note: Even though checkboxes for the actions appear in the user interface, it is not possible to delete a data source or a data identification method.

The user role you are updating determines the permissions shown in the user interface. The table below shows all permission types and actions: