Managing User Access and Policies in DataHub with Group Membership and Ownership

Original Slack Thread

<@U06TM7M40RK> - could you please help me with an understanding here. I have created groups for user. I have attached these groups to every domain. We have two groups for every domain - Data Owner, Data stewards.

Now when I would wish to add users to this group, shall I add them as members or group owners> I have different policies Data Stewards and Data Owners. To make sure users adhere to the pre-set policies, Im confused on how to add them to the group

To manage user access and ensure adherence to pre-set policies in DataHub, you can utilize groups effectively. Here’s a summary of how you can approach this:

1. Group Membership vs. Group Ownership:

   • Members: Adding users as members of a group means they will inherit the permissions and policies assigned to that group. This is typically how you would add users who need to perform the roles defined by the group, such as Data Owners or Data Stewards.
   • Owners: Assigning users as owners of a group does not automatically make them members of the group. Owners can manage the group, but they do not inherit the group’s permissions unless they are also added as members. This distinction allows owners to manage the group without necessarily having the same access as members (https://datahubspace.slack.com/archives/C02QMLWJG12/p1685131899.547899|source).

2. Assigning Users to Groups:

   • If you want users to have the permissions associated with the Data Owner or Data Steward roles, you should add them as members of the respective groups. This ensures they can perform the actions allowed by the policies attached to those groups.
   • If you want certain users to manage the group (e.g., add or remove members), you can assign them as owners of the group. However, remember that being an owner does not grant them the permissions of the group unless they are also members.

3. Policies and Permissions:

   • Ensure that the policies for Data Owners and Data Stewards are correctly configured to grant the necessary permissions to the group members. You can define these policies using DataHub’s policy configuration, specifying the privileges and resources applicable to each group (https://github.com/datahub-project/datahub/blob/master/docs/authorization/policies.md|source).

Would you like more detailed steps or specific examples on any of these points?

Sources:

• <Slack Discussion on Group Membership and Ownership>
• https://github.com/datahub-project/datahub/blob/master/docs/authorization/policies.md|https://github.com/datahub-project/datahub/blob/master/docs/authorization/policies.md 0 button 0 button Hint: Mention @runllm in the thread for followups.

Hi <@U08FUAY60EM>, how did my answer work out for you? Need any more assistance? You can also tag <@U07FV3UHE4D> to let your fellow community members know you’re still looking for guidance.