User Permissions Creating and Deleting Application Instances

benmoss
Level 2
User Permissions Creating and Deleting Application Instances

Hi!

We are in the process of rolling out an application we have developed to our users. But we have a couple of open questions and I'm looking for some guidance, each associated with permissioning.

Creating application instances - We would like to centrally create application instances via a script (this has been set-up). We would like our users to be able to see these new application instances, however, we do not want users to be able to create their own application instances.

We believe this is something that should be possible, given one of the options when setting up an application is to restrict those able to 'instantiate the app' to only those with 'execute app' permissions.

When trying to set these permissions in practice however we are not able to achieve the desired state. In order to disable 'execute app' permissions we also have to disable 'read project' permissions. This process itself seems to prevent our users being able to see the application at all, yet alone any instances that have been created in it.

Deleting App Instances - We would like to prevent this same user group being able to delete app instances. The reason for this is there is a risk that users would hit delete, and also hit 'delete managed datasets' which could destroy some key tables.

We have not yet gotten round to understanding how this would be possible.

Any guidance is greatly appreciated!

5 Replies
JordanB
Dataiker

Hi @benmoss,

Would you please try using the following permissions on the project level and the app level?

Project-level:

Screen Shot 2022-09-23 at 2.15.55 PM.png

(Users in group "readers" can view the app. However, they cannot create or delete app instances )

App instance level:

Screen Shot 2022-09-23 at 2.17.01 PM.png

> "In order to disable 'execute app' permissions we also have to disable 'read project' permissions."

      As you can see in the screenshot above, the execute app permissions are disabled, while the "read project content is enabled".

If you are still not able to get your desired outcome, would you please provide a screenshot of your permissions?

Also, please feel free to open a support ticket and/or live-chat us. 

Thanks!

Jordan

 

benmoss
Level 2
Author

Hi @JordanB,

I worked through the solution you provided and it got us someway to our desired behaviour.

Specifically users can now see the application within our workspace, and when given a link to the created application instance they can see and interact with the application user interface.

However, the permissions set up seems to require the user to know the link to the app instance and we seem to be unable to navigate directly to the application instance via the workspace...

land on workspace > select application > see application instances

At present when we select the application within the workspace the following error is given...

 

Screenshot 2022-09-26 093400.png

Any further guidance is appreciated!

Ben

0 Kudos
JordanB
Dataiker

HI @benmoss,

Would you please check the security settings of the app instance and confirm that you have project visibility set to "discoverable"? 

Screen Shot 2022-09-26 at 10.58.25 AM.png

Also, you can add permissions to the App Instance folder (as shown below):

Screen Shot 2022-09-26 at 11.40.13 AM.png

I hope this helps! Let me know if you have any questions.

Thanks,

Jordan

0 Kudos
benmoss
Level 2
Author

Hi @JordanB,

Thanks for taking the time to respond to this post again; we scheduled a call with one of your colleagues who worked with us to an agreeable solution which was as follows;

- Remove all permision to our viewers group on the project which we wanted to serve to those users as an application

- Create a mechanism to dynamically create application instances. Store those application instances with a folder 'project x application instances'

- Give users access to 'project x application instances'

- During the creation process, also give users permission to run that specific application instance

This has taken us  to a position where users are now unable to create their own app instances. We have had to move away from using the concept of 'workspaces' for this task, however within our project workspace we have linked to the 'project x application instnaces' folder.

Ben

CoreyS
Dataiker Alumni

Thank you for sharing your solution with the rest of the community @benmoss!

Looking for more resources to help you use Dataiku effectively and upskill your knowledge? Check out these great resources: Dataiku Academy | Documentation | Knowledge Base

A reply answered your question? Mark as ‘Accepted Solution’ to help others like you!
0 Kudos