Sign up to take part
Registered users can ask their own questions, contribute to discussions, and be part of the Community!
When granting access to a User, which permission level supersedes the other, the Group or the User Profile? For example if someone is added to a group that has the ability to only read a dashboard but their User Profile is a Data Scientist, which has all permissions, would they then be able to create datasets in a project despite the group only having the read dashboard ability?
Also you are mixing two things here: user/group permissions and profiles. User/group permissions define what you can do at object level. Profiles define the functionality you can use at instance level.
To edit a project recipe for instance you will need either write permissions as user or group granted to you and User Profile of Data Scientist.
You grant users/groups access to folders, projects, code environments, etc. Those are objects in your DSS server. The User profile is granted at the instance level so it gives the user the functional permissions to perform actions according to the profile. Profiles exist so you can have different types of licenses.
One should normally use group level permissions to implement access to various resources or capabilities. Group permissions are of two types: global and per-resource. I think of global group permissions as permissions that are given to classes of objects/resources. For example there are global group permissions for projects, which apply to all resources of type project (e.g. create projects). You could argue that these permissions are related to a class of resources (projects), however you could also argue that these are permissions related to a function inside the instance. The per-resource group permissions are for specific instances of a certain class of resources. Assuming that there are 10 projects available, it should be possible to configure permissions for each individual project instance. On top of the group permissions, there are the user profiles, which are generic/instance-level permissions, which impact what a user can or cannot do for each resource/object. Dataiku documentation says that these are purely for licensing, however in my opinion they must as well be considered when you design the permissions model in your organization because they directly impact what users can/cannot do. Conceptually, they overlap with global group permissions, and this is where I find it confusing.