Manage Data Sources Permissions
Permissions for Data Sources define who can view, add, and utilize Data Sources in your GoodData deployment.
Available Permissions for Data Sources
USE
- With the
USE
permission, users can see the identifiers associated with data sources but not access the actual data sources. This approach helps protect sensitive details about the data source databases from being disclosed.
See the Data Source Identifier section for more information.
MANAGE
- Enables users to modify the data source, including its schema and connection credentials.
How to Set Permissions for Data Sources
Permissions for Data Sources can be configured via the /API/v1/layout/dataSources
or /API/v1/layout/organization
declarative API endpoints. To modify the dataSource
or organization
layouts, you must have the Organization.MANAGE
permission.
Steps:
Follow these steps to update your data source permissions through an API call:
Fetch the Current Data Source Layout
Execute the following API call to retrieve the current
json
definition of your data source layout:curl -H "Authorization: Bearer $API_TOKEN" \ -H "Content-Type: application/json" \ -X GET \ $HOST_URL/api/v1/layout/dataSources
Modify the Permissions in the JSON File
In the returned data source layout
json
file, locate and update thepermissions
section as needed:{ "dataSources": [ { ..., "permissions": [ { "assignee": { "id": "<user_id_or_user_group_id>", "type": "<user_or_userGroup>" }, "name": "<MANAGE_or_USE>" } ], ... } ] }
Update the Data Source Layout
Update the data source layout with your modified
json
file using the following API call:curl -H "Authorization: Bearer $API_TOKEN" \ -H "Content-Type: application/json" \ -X PUT \ $HOST_URL/api/v1/layout/dataSources -d @<your_updated_data_source_layout>.json
Permissions JSON Structure
Object
The object (
dataSources
in the example above) contains the permissions definition, establishing the relationship between the object, its permissions, and the assignees.Permissions Definition
The type of permissions you want to assign to users. Keep it as
permissions
if you are assigning data source permissions, but in case of workspaces, you can also use thehierarchyPermissions
definition. See the Manage Workspace Permissions section for details.Assignee
An assignee refers to either a
user
or auser group
, identified by theirid
and specified bytype
within the permissions setup.Name
The permission name (e.g.
MANAGE
) within this structure dictates the level of access, mapping to specific actions that are otherwise restricted. The impact of these permissions extends across the hierarchy, affecting related object actions as detailed in the Available Permissions for Data Sources section.
Example
In a practical deployment scenario, the permissions definition for a data source object might look like this:
{
"dataSources": [
{
...,
"permissions": [
{
"assignee": {
"id": "admins",
"type": "userGroup"
},
"name": "MANAGE"
},
{
"assignee": {
"id": "john_smith",
"type": "user"
},
"name": "USE"
}
],
...
}
]
}
In this scenario, two types of permissions are defined:
- Everyone who is part of the
admins
user group is allowed to view and alter data sources. - The user
john_smith
is only allowed to list data source identifiers.
Data Source Identifiers
The USE
permission gives the user access to data source identifiers, not the data sources themselves. This is to prevent exposing sensitive information about the data source database itself to the user.
See the Data Source Identifier section for more information.