How can you use DataHub to manage and control user access to metadata

‘How do I control access to metadata?’ is a common question among data practitioners.

Metadata Access Control in DataHub: All you Need to Know

When it comes to Role Based Access Control (RBAC) and Attribute Based Access Control(ABAC), DataHub has the answers.

Read on to learn how you can use DataHub to implement access controls that regulate and control how your organization’s users view and edit metadata.

Who, What, and How: Access Control in DataHub

Access control is a way for you to regulate your end users’ access to your metadata so you can manage and control who can access what data and how. In this article, we show you how DataHub’s access control policy lets you control how your organization’s users view and edit metadata — based on entity, domain, or platform type.

Why you need Metadata Access Controls

‘How do I control access to our organization’s metadata?’ is one of the most common questions we’ve heard from data practitioners and DataHub users.

And it’s easy to see why — there are so many reasons to regulate and limit how users access and edit your metadata entities and domains.

For example, you could want

Dataset Owners to edit documentation, but not tags
Data Stewards to edit tags, but no other metadata
Data Analysts to edit links for data pipelines they consume
Data Platform teams to manage users, groups, and policies, and view analytics

…and so on.

Access Control using DataHub

Permissions management under DataHub Settings

DataHub allows you to declare fine-grained access control policies via its UI (under “Settings-> Permissions”) as well as the GraphQL API.

DataHub currently supports access control via

Platform Policies (determine who has platform-level privileges)
Metadata Policies (control how users interact with metadata entities)

DataHub’s Access Control using Platform Policies

Platform policies serve to assign specific privileges to DataHub users and groups. For example, they can help you define

Who can edit dataset documentation and links
Who can add Owners to a Chart?
Who can add Tags to a Dashboard, etc.
Based on platform-level privileges, these help you determine who can
Manage users & groups
View the DataHub Analytics page
Manage the policies themselves
Platform policies can be looked at through
Actors: Users or groups to whom the policy applies
Privileges: The privileges assigned to the Actors (e.g. “View Analytics”)

Here is a quick look at the platform privileges DataHub offers for access control

It’s important to note that platform policies don’t have a target resource that they control.

DataHub’s Access Control using Metadata Policies

A Metadata Policy can be looked at through

Actors (WHO)

Determines the specific users or groups to whom the policy applies.

DataHub currently supports three ways to define the set of actors the policy applies to

a list of users
a list of groups, and
owners of the entity.

Privileges (WHAT)

Determines the actions permitted by a policy, e.g. “Add Tags”

This enables DataHub operators to access and manage the administrative functions of the system.

Resources (WHICH)

Outlines the resources that the policy applies to, e.g. “All Datasets”.

A Resource Filter defines a list of criteria that determines the set of resources to which the policy applies. (Note, that if there are no criteria or a resource is not set, the policy is applied to ALL resources.)

Each criterion defines a:

field type (like resource_type, resource_urn, domain),
a list of field values to compare, and
a condition that checks whether the field of a certain resource matches any of the input values.

How can you use DataHub’s Access Control Policies?

We hope this helps explains how DataHub gives you a simple and effective way to control who accesses your metadata and how.

To know more about how you can implement access control in DataHub using platform and metadata policies, check out our detailed guide: Policies Guide for Access Control in DataHub