Discover the winners & finalists of the 2022 Dataiku Frontrunner Awards!READ THEIR USE CASES

Separation of Roles: Developers and Deployers

Solved!
Naunghton
Level 2
Separation of Roles: Developers and Deployers

Hi all, 

A question in regards to groups and access control in Dataiku DSS. So we are on Version 10 and I am looking to incorporate a layer of Governance as a short term solution that will allow me to allow Developers (Data Team) to develop bundles and publish them to the Deployer Node and another (Approver) which is allowed to deploy these bundles to different Automation Nodes. My goal is then that once a development team is happy with their changes, they can get it approved by an approver who then deploys it on their behalf. The reason for this is we want a stop gate to ensure that changes do not get promoted without approval.

I can see that I can restrict/Allocate Infrastructure to a group and that Admins are able to deploy on someone else's behalf. My question is, is there a security configuration that I can create to enable a user in a "Approver" role to deploy other people's bundles without just making them an "Admin".

Let me know what you think as the only way I have seen is by making the "Approver" an Admin or by making them the one who has to build the Bundle. 

0 Kudos
1 Solution
fsergot
Dataiker

Hello @Naunghton ,

Natively, in Project Deployer, there are various level of security settings that would allow you to do what you are looking for.

In order to deploy a project, there are 3 potentially usable rights that needs to intersect:

1. The user must have the right 'Deploy' on the Infrastructure he/she wants to deploy toScreenshot 2022-08-30 at 17.33.33.png2. The user must have the right Deploy on the projectScreenshot 2022-08-30 at 17.35.51.png

3. The user must exist and have sufficient rights on the Automation node.

 

In your case, option 1 could be put at use by granting only the right 'Deploy' on the infrastructure the group 'approver' and not to 'developer' (who will only have the 'View' rights).

Developers will still need to add the approver groups/people to the project settings otherwise, they won't be able to deploy (this is something we will to simplify in a future release by propagating rights from the Design project)

 

Govern in version 11 add the notion of 'pure' Approver for bundle, meaning one or several persons or groups that will need to give their go before anyone can deploy this bundle. This is stronger than the solution presented here and does not require specific rights in Project Deployer Infrastructure or project so is easier to implement. You can check more on documentation: Governance » Sign-off Scenario 

View solution in original post

0 Kudos
5 Replies
Naunghton
Level 2
Author

Also, if this is something that can be controlled in version 11 then it would be amazing as well to know this. 

0 Kudos
fsergot
Dataiker

Hello @Naunghton ,

Natively, in Project Deployer, there are various level of security settings that would allow you to do what you are looking for.

In order to deploy a project, there are 3 potentially usable rights that needs to intersect:

1. The user must have the right 'Deploy' on the Infrastructure he/she wants to deploy toScreenshot 2022-08-30 at 17.33.33.png2. The user must have the right Deploy on the projectScreenshot 2022-08-30 at 17.35.51.png

3. The user must exist and have sufficient rights on the Automation node.

 

In your case, option 1 could be put at use by granting only the right 'Deploy' on the infrastructure the group 'approver' and not to 'developer' (who will only have the 'View' rights).

Developers will still need to add the approver groups/people to the project settings otherwise, they won't be able to deploy (this is something we will to simplify in a future release by propagating rights from the Design project)

 

Govern in version 11 add the notion of 'pure' Approver for bundle, meaning one or several persons or groups that will need to give their go before anyone can deploy this bundle. This is stronger than the solution presented here and does not require specific rights in Project Deployer Infrastructure or project so is easier to implement. You can check more on documentation: Governance » Sign-off Scenario 

0 Kudos
Naunghton
Level 2
Author

Hi @fsergot,

Thanks for this! What version of Dataiku are you running on to get these options for separating who can deploy a project?

From my view (Version 10.0.2) we are only able to see the following permissions and I have found that only by giving a group admin over a project will give them the permissions needed to deploy.

Let me know what you think! 

Screen Shot 2022-08-31 at 8.54.02 am.png

0 Kudos
Naunghton
Level 2
Author

Or is it the case that we should deploy bundle to deployer, then assign the "approver group" permissions to deploy that project specifically and then the approver would be able to deploy to the infrastructure that they have permissions to?

0 Kudos
fsergot
Dataiker

Indeed, those are rights that are in Project Deployer, not in the original project.

0 Kudos