Dataiku Groups vs User Profiles

eshcaller517
Level 1
Dataiku Groups vs User Profiles

When granting access to a User, which permission level supersedes the other, the Group or the User Profile? For example if someone is added to a group that has the ability to only read a dashboard but their User Profile is a Data Scientist, which has all permissions, would they then be able to create datasets in a project despite the group only having the read dashboard ability? 

0 Kudos
7 Replies
Turribeach

Permissions are additive, which means you will get a combination of all the granted permissions and the highest permission level will take precedence over others.

eshcaller517
Level 1
Author

thanks for the info!

0 Kudos
Turribeach

Also you are mixing two things here: user/group permissions and profiles. User/group permissions define what you can do at object level. Profiles define the functionality you can use at instance level. 

To edit a project recipe for instance you will need either write permissions as user or group granted to you and User Profile of Data Scientist. 

0 Kudos
eshcaller517
Level 1
Author

are you able to explain a little more the difference between the object level and instance level?

0 Kudos
Turribeach

You grant users/groups access to folders, projects, code environments, etc. Those are objects in your DSS server. The User profile is granted at the instance level so it gives the user the functional permissions to perform actions according to the profile. Profiles exist so you can have different types of licenses. 

0 Kudos
cmcaba
Level 1

One should normally use group level permissions to implement access to various resources or capabilities. Group permissions are of two types: global and per-resource. I think of global group permissions as permissions that are given to classes of objects/resources. For example there are global group permissions for projects, which apply to all resources of type project (e.g. create projects). You could argue that these permissions are related to a class of resources (projects), however you could also argue that these are permissions related to a function inside the instance. The per-resource group permissions are for specific instances of a certain class of resources. Assuming that there are 10 projects available, it should be possible to configure permissions for each individual project instance. On top of the group permissions, there are the user profiles, which are generic/instance-level permissions, which impact what a user can or cannot do for each resource/object. Dataiku documentation says that these are purely for licensing, however in my opinion they must as well be considered when you design the permissions model in your organization because they directly impact what users can/cannot do. Conceptually, they overlap with global group permissions, and this is where I find it confusing. 

0 Kudos
Turribeach

May be this will help to clarify things. Profiles determine WHAT can you do in Dataiku. Groups determine WHERE you can do it. 

0 Kudos