Groups Management - Overview
Control who can access assets in your organization by implementing Group-Based Access Control.
Last updated
Control who can access assets in your organization by implementing Group-Based Access Control.
Last updated
Effective 12 June 2023, access to features within your decube workspace will be governed by permissions that are assigned to Users based on the Groups they are added to. This doc explains how the Group-based Access Control (GBAC) works in decube.
Here are some definitions that will help with navigating the next sections of GBAC.
Users refer to individual accounts added to the platform.
Groups refer to a collection of users. A group may have policies attached to them that gives the same policies to each user within the group.
Permissions are “access rules” within the app such as “view A only” or “can edit B”.
Resources refer to data sources (Snowflake, BQ) or modules (Business Glossary).
Policies refer to permissions that are associated with resources; eg. Edit access for asset description in Snowflake.
Let's say you are the Owner for your organization, and you want to limit access for the following team members who will be added to your decube account:
Data Engineer: Able to set up monitoring and close incidents for all sources.
Data Analyst: Able to access tables from Redshift without but with read-only access.
Marketing Analyst: Able to access Business Glossary, submit change requests.
Administrator: Able to invite and revoke access, see plans & billings, and manage group and policies.
With GBAC, you can now create a Group for each use case that you need.
For (1), you can create a Data Engineer group and give access via Source-based policies and assign Edit, Create and Delete for Monitor and Table Configuration policy for all sources.
For (2), you can create a Data Analyst group and give access via Source-based policies assign Read-only for Redshift. They will be unable to make changes, nor create monitors.
For (3), you can create a Marketing group and assign Module-based policies for Business Glossary. Here you can select Edit, Create and Delete access for Glossaries, Categories and Terms.
For (4), you can create an Administrator group and assign Administrative-based policies for managing user access, view Plans & Billings page and manage groups & policies.
This is how powerful decube's GBAC is. Customize user access for all your users based on each use case, so you can strict control over who can access sensitive information in your decube organization.
If you're an existing customer who has had their account before 12 June 2023, you have been migrated to our new system seamlessly. Pre-GBAC decube had the concept of "Roles", which were Admins and Members. After GBAC is introduced, the following was done by our team:
Users with Admin role were moved into the Owners group. Read more about Owners here.
Users with Member role were moved into the Members (Legacy) group.
If you were in either role before the launch of GBAC, your experience that you are familiar with pre-launch will be retained.
Owners have all the required permissions, such as to add data sources, invite others into the organization and access any data asset.
Members (Legacy) has all the required permissions to access data sources added pre-launch.