This website uses cookies. By clicking OK, you consent to the use of cookies. Read our cookie policy.
Accept
Reject
Community
Survey banner
Share your feedback on the Dataiku documentation with this 5 min survey. Thanks! TAKE THE SURVEY

Separation of Roles: Developers and Deployers

Solved!
Naunghton
Level 2
โ€Ž08-15-2022 05:17 AM
Separation of Roles: Developers and Deployers

Hi all, 

A question in regards to groups and access control in Dataiku DSS. So we are on Version 10 and I am looking to incorporate a layer of Governance as a short term solution that will allow me to allow Developers (Data Team) to develop bundles and publish them to the Deployer Node and another (Approver) which is allowed to deploy these bundles to different Automation Nodes. My goal is then that once a development team is happy with their changes, they can get it approved by an approver who then deploys it on their behalf. The reason for this is we want a stop gate to ensure that changes do not get promoted without approval.

I can see that I can restrict/Allocate Infrastructure to a group and that Admins are able to deploy on someone else's behalf. My question is, is there a security configuration that I can create to enable a user in a "Approver" role to deploy other people's bundles without just making them an "Admin".

Let me know what you think as the only way I have seen is by making the "Approver" an Admin or by making them the one who has to build the Bundle. 

0 Kudos
Reply
1 Solution
fsergot
Dataiker
โ€Ž08-30-2022 05:48 PM

Hello @Naunghton ,

Natively, in Project Deployer, there are various level of security settings that would allow you to do what you are looking for.

In order to deploy a project, there are 3 potentially usable rights that needs to intersect:

1. The user must have the right 'Deploy' on the Infrastructure he/she wants to deploy toScreenshot 2022-08-30 at 17.33.33.png2. The user must have the right Deploy on the projectScreenshot 2022-08-30 at 17.35.51.png

3. The user must exist and have sufficient rights on the Automation node.

 

In your case, option 1 could be put at use by granting only the right 'Deploy' on the infrastructure the group 'approver' and not to 'developer' (who will only have the 'View' rights).

Developers will still need to add the approver groups/people to the project settings otherwise, they won't be able to deploy (this is something we will to simplify in a future release by propagating rights from the Design project)

 

Govern in version 11 add the notion of 'pure' Approver for bundle, meaning one or several persons or groups that will need to give their go before anyone can deploy this bundle. This is stronger than the solution presented here and does not require specific rights in Project Deployer Infrastructure or project so is easier to implement. You can check more on documentation: Governance ยป Sign-off Scenario 

View solution in original post

0 Kudos
Reply
5 Replies
Naunghton
Level 2
Author
โ€Ž08-15-2022 06:01 AM

Also, if this is something that can be controlled in version 11 then it would be amazing as well to know this. 

0 Kudos
Reply
fsergot
Dataiker
โ€Ž08-30-2022 05:48 PM

Hello @Naunghton ,

Natively, in Project Deployer, there are various level of security settings that would allow you to do what you are looking for.

In order to deploy a project, there are 3 potentially usable rights that needs to intersect:

1. The user must have the right 'Deploy' on the Infrastructure he/she wants to deploy toScreenshot 2022-08-30 at 17.33.33.png2. The user must have the right Deploy on the projectScreenshot 2022-08-30 at 17.35.51.png

3. The user must exist and have sufficient rights on the Automation node.

 

In your case, option 1 could be put at use by granting only the right 'Deploy' on the infrastructure the group 'approver' and not to 'developer' (who will only have the 'View' rights).

Developers will still need to add the approver groups/people to the project settings otherwise, they won't be able to deploy (this is something we will to simplify in a future release by propagating rights from the Design project)

 

Govern in version 11 add the notion of 'pure' Approver for bundle, meaning one or several persons or groups that will need to give their go before anyone can deploy this bundle. This is stronger than the solution presented here and does not require specific rights in Project Deployer Infrastructure or project so is easier to implement. You can check more on documentation: Governance ยป Sign-off Scenario 

0 Kudos
Reply
Naunghton
Level 2
Author
โ€Ž08-31-2022 12:57 AM

Hi @fsergot,

Thanks for this! What version of Dataiku are you running on to get these options for separating who can deploy a project?

From my view (Version 10.0.2) we are only able to see the following permissions and I have found that only by giving a group admin over a project will give them the permissions needed to deploy.

Let me know what you think! 

Screen Shot 2022-08-31 at 8.54.02 am.png

0 Kudos
Reply
Naunghton
Level 2
Author
In response to Naunghton
โ€Ž08-31-2022 12:59 AM

Or is it the case that we should deploy bundle to deployer, then assign the "approver group" permissions to deploy that project specifically and then the approver would be able to deploy to the infrastructure that they have permissions to?

0 Kudos
Reply
fsergot
Dataiker
In response to Naunghton
โ€Ž08-31-2022 09:27 AM

Indeed, those are rights that are in Project Deployer, not in the original project.

0 Kudos
Reply

Setup info

?
A banner prompting to get Dataiku
Didn't Find What You Needed?

Post a Question

Help me โ€ฆ
โ€ฆ ask a question โ€ฆ search for an answer โ€ฆ learn to use the Community