Dataiku Groups vs User Profiles
When granting access to a User, which permission level supersedes the other, the Group or the User Profile? For example if someone is added to a group that has the ability to only read a dashboard but their User Profile is a Data Scientist, which has all permissions, would they then be able to create datasets in a project despite the group only having the read dashboard ability?
Answers
-
Turribeach Dataiku DSS Core Designer, Neuron, Dataiku DSS Adv Designer, Registered, Neuron 2023 Posts: 2,116 Neuron
Permissions are additive, which means you will get a combination of all the granted permissions and the highest permission level will take precedence over others.
-
thanks for the info!
-
Turribeach Dataiku DSS Core Designer, Neuron, Dataiku DSS Adv Designer, Registered, Neuron 2023 Posts: 2,116 Neuron
Also you are mixing two things here: user/group permissions and profiles. User/group permissions define what you can do at object level. Profiles define the functionality you can use at instance level.
To edit a project recipe for instance you will need either write permissions as user or group granted to you and User Profile of Data Scientist.
-
are you able to explain a little more the difference between the object level and instance level?
-
Turribeach Dataiku DSS Core Designer, Neuron, Dataiku DSS Adv Designer, Registered, Neuron 2023 Posts: 2,116 Neuron
You grant users/groups access to folders, projects, code environments, etc. Those are objects in your DSS server. The User profile is granted at the instance level so it gives the user the functional permissions to perform actions according to the profile. Profiles exist so you can have different types of licenses.
-
One should normally use group level permissions to implement access to various resources or capabilities. Group permissions are of two types: global and per-resource. I think of global group permissions as permissions that are given to classes of objects/resources. For example there are global group permissions for projects, which apply to all resources of type project (e.g. create projects). You could argue that these permissions are related to a class of resources (projects), however you could also argue that these are permissions related to a function inside the instance. The per-resource group permissions are for specific instances of a certain class of resources. Assuming that there are 10 projects available, it should be possible to configure permissions for each individual project instance. On top of the group permissions, there are the user profiles, which are generic/instance-level permissions, which impact what a user can or cannot do for each resource/object. Dataiku documentation says that these are purely for licensing, however in my opinion they must as well be considered when you design the permissions model in your organization because they directly impact what users can/cannot do. Conceptually, they overlap with global group permissions, and this is where I find it confusing.
-
Turribeach Dataiku DSS Core Designer, Neuron, Dataiku DSS Adv Designer, Registered, Neuron 2023 Posts: 2,116 Neuron
May be this will help to clarify things. Profiles determine WHAT can you do in Dataiku. Groups determine WHERE you can do it.