Skip to main content

About DataHub Roles

Feature Availability
Self-Hosted DataHub
Managed DataHub

DataHub provides the ability to use Roles to manage permissions.

Roles are the recommended way to manage permissions on DataHub. This should suffice for most use cases, but advanced users can use Policies if needed.

Roles Setup, Prerequisites, and Permissions

The out-of-the-box Roles represent the most common types of DataHub users. Currently, the supported Roles are Admin, Editor and Reader.

Role NameDescription
AdminCan do everything on the platform.
EditorCan read and edit all metadata. Cannot take administrative actions.
ReaderCan read all metadata. Cannot edit anything by default, or take administrative actions.

Using Roles

Viewing Roles

You can view the list of existing Roles under Settings > Permissions > Roles. You can click into a Role to see details about it, like which users have that Role, and which Policies correspond to that Role.

Assigning Roles

Roles can be assigned in two different ways.

Assigning a New Role to a Single User

If you go to Settings > Users & Groups > Users, you will be able to view your full list of users, as well as which Role they are currently assigned to, including if they don't have a Role.

You can simply assign a new Role to a user by clicking on the drop-down that appears on their row and selecting the desired Role.

Batch Assigning a Role

When viewing the full list of roles at Settings > Permissions > Roles, you will notice that each role has an Add Users button next to it. Clicking this button will lead you to a search box where you can search through your users, and select which users you would like to assign this role to.

How do Roles interact with Policies?

Roles actually use Policies under-the-hood, and come prepackaged with corresponding policies to control what a Role can do, which you can view in the Policies tab. Note that these Role-specific policies cannot be changed. You can find the full list of policies corresponding to each Role at the bottom of this file.

If you would like to have finer control over what a user on your DataHub instance can do, the Roles system interfaces cleanly with the Policies system. For example, if you would like to give a user a Reader role, but also allow them to edit metadata for certain domains, you can add a policy that will allow them to do. Note that adding a policy like this will only add to what a user can do in DataHub.

Role Privileges

Self-Hosted DataHub and Managed DataHub

These privileges are common to both Self-Hosted DataHub and Managed DataHub.

Platform Privileges
PrivilegeAdminEditorReader
Generate Personal Access Tokens✔️✔️
Manage Domains✔️✔️
Manage Glossaries✔️✔️
Manage Tags✔️✔️
Manage Policies✔️
Manage Ingestion✔️
Manage Secrets✔️
Manage Users and Groups✔️
Manage Access Tokens✔️
Manage User Credentials✔️
View Analytics✔️
Metadata Privileges
PrivilegeAdminEditorReader
View Entity Page✔️✔️✔️
View Dataset Usage✔️✔️✔️
View Dataset Profile✔️✔️✔️
Edit Entity✔️✔️
Edit Entity Tags✔️✔️
Edit Entity Glossary Terms✔️✔️
Edit Entity Owners✔️✔️
Edit Entity Docs✔️✔️
Edit Entity Doc Links✔️✔️
Edit Entity Status✔️✔️
Edit Entity Assertions✔️✔️
Manage Entity Tags✔️✔️
Manage Entity Glossary Terms✔️✔️
Edit Dataset Column Tags✔️✔️
Edit Dataset Column Glossary Terms✔️✔️
Edit Dataset Column Descriptions✔️✔️
Manage Dataset Column Tags✔️✔️
Manage Dataset Column Glossary Terms✔️✔️
Edit Tag Color✔️✔️
Edit User Profile✔️✔️
Edit Contact Info✔️✔️

Managed DataHub

These privileges are only relevant to Managed DataHub.

Platform Privileges
PrivilegeAdminEditorReader
Create Constraints✔️✔️
View Metadata Proposals✔️✔️
Manage Tests✔️
Manage Global Settings✔️
Metadata Privileges
PrivilegeAdminEditorReader
Propose Entity Tags✔️✔️✔️
Propose Entity Glossary Terms✔️✔️✔️
Propose Dataset Column Tags✔️✔️✔️
Propose Dataset Column Glossary Terms✔️✔️✔️
Edit Entity Operations✔️✔️

Additional Resources

GraphQL

FAQ and Troubleshooting

What updates are planned for Roles?

In the future, the DataHub team is looking into adding the following features to Roles.

  • Defining a role mapping from OIDC identity providers to DataHub that will grant users a DataHub role based on their IdP role
  • Allowing Admins to set a default role on DataHub so all users are assigned a role
  • Building custom roles