Not Authorized error only when using SQL or Python recipes

Niyazi Registered Posts: 12 ✭✭✭✭
edited July 16 in Using Dataiku


We use plugin with code to generate virtual datasets for different user groups with specific attributes from a source table.

We create through code datasets that are linked to a view in a database. Furthermore, we specifically create them on a connection that will be used by end-user. All grants on database side is granted.

When the resulting dataset is shared to another project, end-users can open it, use it in visual recipes and so on, but when creating SQL recipe or Python, it will say "Not authorized, action on the dataset is forbidden".

However, if you do actually write some SQL, it will work no problem.

# Managing schema and output dataset's settings
project = client.get_default_project()
input_dataset = project.get_dataset(inp_ds_name)
output_dataset = project.get_dataset(out_ds_name)

# Listing connections where new objects will be imported                
connections = {
    "sa": "connection_name"

# Creating virual dataset objects as the output of the plugin
# Note: it effectively changes the settings of the output dataset as defined in initial plugin page
inp_schema = input_dataset.get_schema()
if '*' not in columns:
    out_schema = {'columns': [x for x in inp_schema['columns'] if x['name'] in columns],
                  'userModified': True}
    out_schema = inp_schema
settings = output_dataset.get_settings()
settings.set_table(connection=connections.get(sa, 'default'), schema="source", table=output_view_name.replace('"',''))
settings.tags = [f'Producer: {producer}', f'Consumer: {sa}', f'UseCase: {usecase_number}']
settings.short_description = "This is an input dataset for your project - you can use it in all recipes. DO NOT SYNC!"
settings.description = f"""This dataset was provided in accordance with this Use Case: {trello_url}"""

The resulting dataset is a virtual DSS object linked to a view in a schema. Connection of the end-user do not have permissions on the schema, but do have SELECT access to that specific underlying view in that schema. Dataset can be opened and used in Visual recipes and can be used in Code recipes as well, however, in code recipes there is this error constantly present - it also disallows users to click on column names to add them to the query.

Note that user group has "execute code" permissions and the code itself in the recipes run fine, but error message persists and makes for bad user experience.

Please advise on how we can maybe change the code or the process to make these virtual datasets in a way that is fully transparent to users, so that they can use that dataset as they would any other one they have permissions on?

Best Answer


  • Niyazi
    Niyazi Registered Posts: 12 ✭✭✭✭

    The issue gets resolved if I were to give "read project content" permission on the source project. However, I would prefer to avoid giving it to everyone, as it allows for users to read all the datasets within it, not just those shared to their projects.

    Backend logs do not show any additional information, just that there is a permission issue

  • Niyazi
    Niyazi Registered Posts: 12 ✭✭✭✭

    And another thing to note. If an end-user were to "import from connection" that very same dataset, everything works perfectly.

    However, for us it is not acceptable, because it makes both automation and control much harder.

    We need to specifically share datasets from a closed-off project, but do it in such a way, that end users would have no issues with working on that dataset without unnecessary privileges.

    Any suggestions?

  • Niyazi
    Niyazi Registered Posts: 12 ✭✭✭✭

    Thank you! We will upgrade and test it out.

Setup Info
      Help me…