Decube
Try for free
  • πŸš€Overview
    • Welcome to decube
    • Getting started
      • How to connect data sources
    • Security and Compliance
    • Data Policy
    • Changelog
    • Public Roadmap
  • Support
  • πŸ”ŒData Warehouses
    • Snowflake
    • Redshift
    • Google Bigquery
    • Databricks
    • Azure Synapse
  • πŸ”ŒRelational Databases
    • PostgreSQL
    • MySQL
    • SingleStore
    • Microsoft SQL Server
    • Oracle
  • πŸ”ŒTransformation Tools
    • dbt (Cloud Version)
    • dbt Core
    • Fivetran
    • Airflow
    • AWS Glue
    • Azure Data Factory
    • Apache Spark
      • Apache Spark in Azure Synapse
    • OpenLineage (BETA)
    • Additional configurations
  • πŸ”ŒBusiness Intelligence
    • Tableau
    • Looker
    • PowerBI
  • πŸ”ŒData Lake
    • AWS S3
    • Azure Data Lake Storage (ADLS)
      • Azure Function for Metadata
    • Google Cloud Storage (GCS)
  • πŸ”ŒTicketing and Collaboration
    • ServiceNow
    • Jira
  • πŸ”’Security and Connectivity
    • Enabling VPC Access
    • IP Whitelisting
    • SSH Tunneling
    • AWS Identities
  • βœ…Data Quality
    • Incidents Overview
    • Incident model feedback
    • Enable asset monitoring
    • Available Monitor Types
    • Available Monitor Modes
    • Catalog: Add/Modify Monitor
    • Set Up Freshness & Volume Monitors
    • Set Up Field Health Monitors
    • Set Up Custom SQL Monitors
    • Grouped-by Monitors
    • Modify Schema Drift Monitors
    • Modify Job Failure Monitors (Data Job)
    • Custom Scheduling For Monitors
    • Config Settings
  • πŸ“–Catalog
    • Overview of Asset Types
    • Assets Catalog
    • Asset Overview
    • Automated Lineage
      • Lineage Relationship
      • Supported Data Sources and Lineage Types
    • Add lineage relationships manually
    • Add tags and classifications to fields
    • Field Statistcs
    • Preview sample data
  • πŸ“šGlossary
    • Glossary, Category and Terms
    • Adding a new glossary
    • Adding Terms and Linked Assets
  • Moving Terms to Glossary/Category
  • AI Copilot
    • Copilot's Autocomplete
  • 🀝Collaboration
    • Ask Questions
    • Rate an asset
  • 🌐Data Mesh [BETA]
    • Overview on Data Mesh [BETA]
    • Creating and Managing Domains/Sub-domains
    • Adding members to Domain/Sub-domain
    • Linking Entities to Domains/Sub-domains
    • Adding Data Products to Domains/Subdomains
    • Creating a draft Data Asset
    • Adding a Data Contract - Default Settings
    • Adding a Data Contract - Freshness Test
    • Adding a Data Contract - Column Tests
    • Publishing the Data Asset
  • πŸ›οΈGovernance
    • Governance module
    • Classification Policies
    • Auto-classify data assets
  • β˜‘οΈApproval Workflow
    • What are Change Requests?
    • Initiate a change request
    • What are Access Requests?
    • Initiate an Access Request
  • πŸ“‹Reports
    • Overview of Reports
    • Supported sources for Reports
    • Asset Report: Data Quality Scorecard
  • πŸ“ŠDashboard
    • Dashboard Overview
    • Incidents
    • Quality
  • ⏰Alert Notifications
    • Get alerts on email
    • Connect your Slack channels
    • Connect to Microsoft Teams
    • Webhooks integration
  • πŸ›οΈManage Access
    • User Management - Overview
    • Invite users
    • Deactivate or re-activate users
    • Revoke a user invite
  • πŸ”Group-based Access Controls
    • Groups Management - Overview
    • Create Groups & Assign Policies
    • Source-based Policies
    • Administrative-based Policies
    • Module-based Policies
    • What is the "Owners" group?
  • πŸ—„οΈOrg Settings
    • Multi-factor authentication
    • Single Sign-On (SSO) with Microsoft
    • Single Sign-On (SSO) with JumpCloud
  • ❓Support
    • Supported Features by Integration
    • Frequently Asked Questions
    • Supported Browsers and System Requirements
  • Public API (BETA)
    • Overview
      • Data API
        • Glossary
        • Lineage
        • ACL
          • Group
      • Control API
        • Users
    • API Keys
Powered by GitBook
On this page
  • Definitions
  • How it works
  • Transition from pre-GBAC to GBAC
  1. Group-based Access Controls

Groups Management - Overview

Control who can access assets in your organization by implementing Group-Based Access Control.

PreviousRevoke a user inviteNextCreate Groups & Assign Policies

Last updated 1 month ago

Effective 12 June 2023, access to features within your decube workspace will be governed by permissions that are assigned to Users based on the Groups they are added to. This doc explains how the Group-based Access Control (GBAC) works in decube.

Definitions

Here are some definitions that will help with navigating the next sections of GBAC.

  • Users refer to individual accounts added to the platform.

  • Groups refer to a collection of users. A group may have policies attached to them that gives the same policies to each user within the group.

  • Permissions are β€œaccess rules” within the app such as β€œview A only” or β€œcan edit B”.

  • Resources refer to data sources (Snowflake, BQ) or modules (Business Glossary).

  • Policies refer to permissions that are associated with resources; eg. Edit access for asset description in Snowflake.

How it works

Let's say you are the Owner for your organization, and you want to limit access for the following team members who will be added to your decube account:

  1. Data Engineer: Able to set up monitoring and close incidents for all sources.

  2. Data Analyst: Able to access tables from Redshift without but with read-only access.

  3. Marketing Analyst: Able to access Business Glossary, submit change requests.

  4. Administrator: Able to invite and revoke access, see plans & billings, and manage group and policies.

With GBAC, you can now create a Group for each use case that you need.

  • For (2), you can create a Data Analyst group and give access via Source-based policies assign Read-only for Redshift. They will be unable to make changes, nor create monitors.

This is how powerful decube's GBAC is. Customize user access for all your users based on each use case, so you can strict control over who can access sensitive information in your decube organization.

Transition from pre-GBAC to GBAC

If you're an existing customer who has had their account before 12 June 2023, you have been migrated to our new system seamlessly. Pre-GBAC decube had the concept of "Roles", which were Admins and Members. After GBAC is introduced, the following was done by our team:

  • Users with Member role were moved into the Members (Legacy) group.

If you were in either role before the launch of GBAC, your experience that you are familiar with pre-launch will be retained.

  • Owners have all the required permissions, such as to add data sources, invite others into the organization and access any data asset.

  • Members (Legacy) has all the required permissions to access data sources added pre-launch.

For (1), you can create a Data Engineer group and give access via and assign Edit, Create and Delete for Monitor and Table Configuration policy for all sources.

For (3), you can create a Marketing group and assign for Business Glossary. Here you can select Edit, Create and Delete access for Glossaries, Categories and Terms.

For (4), you can create an Administrator group and assign for managing user access, view Plans & Billings page and manage groups & policies.

Users with Admin role were moved into the Owners group.

πŸ”
Source-based policies
Module-based policies
Administrative-based policies
Read more about Owners here.
Here's how the Group-based Access Controls work.