Policies
Last updated
Last updated
ODD Platform allows to manage access to resources by creating policies and attaching them to owners through roles.
Policies are described in JSON format and validated with .
Each policy is represented by an array of statements and each statement defines a resource with optional conditions and which will be allowed for given resource.
There are 3 possible types of policy resource:
DATA_ENTITY - Indicates, that current permissions are applied for data entity
TERM - Indicates, that current permissions are applied for dictionary term
MANAGEMENT - Indicates, that current permissions are general and work all over the platform
QUERY_EXAMPLE - Indicates, that the current permissions are applied for query examples
Conditions allow to specify the circumstances under which the policy grants permission.
This is an optional field and in case of absence, permissions will be applied to all resource type entries.
Conditions can't be applied to MANAGEMENT resource type
Currently we support next operators:
all
- all conditions under this operator must be positive
any
- at least one condition under this operation must be positive
There are couple of pre-defined fields, which can be used in conditions. Each resource type has its own fields.
Data entity
dataEntity:oddrn
- data entity's ODDRN
dataEntity:internalName
- data entity's business name
dataEntity:externalName
- data entity's ingested name
dataEntity:type
- data entity's type name
dataEntity:class
- data entity's class name
dataEntity:datasource:oddrn
- data entity's datasource ODDRN
dataEntity:datasource:name
- data entity's datasource name
dataEntity:namespace:name
- data entity's namespace name
dataEntity:tag:name
- data entity's tag name
dataEntity:owner
- data entity's owner
dataEntity:owner:title
- data entity's owner title
Term
term:name
- term's name
term:namespace:name
- term's namespace name
term:tag:name
- term's tag name
term:owner
- term's owner
term:owner:title
- term's owner title
User must be term's owner, term must be in Open Data Discovery namespace and have tag, which name equals to Test
.
At least one of the conditions must be positive: User must be data entity's owner OR data entity shouldn't have tag PII
.
Please check Permissions section for all available permissions list.
Policy allows to update business name, description and custom metadata if user is data entity's owner and this data entity is in Open Data Discovery
namespace
All actions are allowed for all data entities
Policy allows to update term information and ownership if it has Customer
tag
Policy allows to manage datasources, collectors and namespaces
Policy allows to edit term information and permits all actions for data entities from Finance
namespace.
Each type can be combined only with associated permissions and conditions, e.g. if you describe statement for DATA_ENTITY type you can only use data entity's conditions and .
In ODD Platform we have pre-defined and , which can be used with these operators.
eq
**** - must be equal to some value
not_eq
**** - **** must not be equal to some value
match
**** - must match some value
not_match
**** - **** must not match some value
is
**** - **** must be true
not_is
**** - **** must be false