Hello Everyone! I have just experienced the following issue and I am quite puzzled.
I have three Azure AD Groups which I ingested in DataHub. I read that the preferred way to handle permissions is by using roles, so I manually assigned the respective roles to the users (https://datahubproject.io/docs/authorization/roles#assigning-a-new-role-to-a-single-user). (I read that the AD groups do not get DataHub roles by default) I have not changed or disabled any of the privileges.
With that setting I have a user with a Reader DataHub role who can create and run ingestions. According to https://datahubproject.io/docs/authorization/roles#role-privileges a Reader should not be able to run ingestion, is that correct? Is the Manage Ingestion privileges’ the one controlling that?
I am probably missing something. Any help will be very appreciated.
Thank you!
After some more reading I think I have found the cause for this behavior.
As pointed out here https://datahubproject.io/docs/authorization/policies/#managing-policies, there is a policy which gives platform privileges for all users and it is enabled by default. I have disabled it and now the Reader and Writer roles work as described here https://datahubproject.io/docs/authorization/roles/#role-privileges .
Glad you figured this out!