Manage Data Sources Permissions
Permissions for Data Sources define who can view, add, and utilize Data Sources in your GoodData deployment.
Available Permissions for Data Sources
USE
- With the
USEpermission, users can see the identifiers associated with data sources but not access the actual data sources. This approach helps protect sensitive details about the data source databases from being disclosed.
See the Data Source Identifier section for more information.
MANAGE
- Enables users to modify the data source, including its schema and connection credentials.
How to Set Permissions for Data Sources
Permissions for Data Sources can be configured via the /API/v1/layout/dataSources or /API/v1/layout/organization declarative API endpoints. To modify the dataSource or organization layouts, you must have the Organization.MANAGE permission.
Steps:
Follow these steps to update your data source permissions through an API call:
Fetch the Current Data Source Layout
Execute the following API call to retrieve the current
jsondefinition of your data source layout:curl -H "Authorization: Bearer $API_TOKEN" \ -H "Content-Type: application/json" \ -X GET \ $HOST_URL/api/v1/layout/dataSourcesModify the Permissions in the JSON File
In the returned data source layout
jsonfile, locate and update thepermissionssection as needed:{ "dataSources": [ { ..., "permissions": [ { "assignee": { "id": "<user_id_or_user_group_id>", "type": "<user_or_userGroup>" }, "name": "<MANAGE_or_USE>" } ], ... } ] }Update the Data Source Layout
Update the data source layout with your modified
jsonfile using the following API call:curl -H "Authorization: Bearer $API_TOKEN" \ -H "Content-Type: application/json" \ -X PUT \ $HOST_URL/api/v1/layout/dataSources -d @<your_updated_data_source_layout>.json
Permissions JSON Structure
Object
The object (
dataSourcesin the example above) contains the permissions definition, establishing the relationship between the object, its permissions, and the assignees.Permissions Definition
The type of permissions you want to assign to users. Keep it as
permissionsif you are assigning data source permissions, but in case of workspaces, you can also use thehierarchyPermissionsdefinition. See the Manage Workspace Permissions section for details.Assignee
An assignee refers to either a
useror auser group, identified by theiridand specified bytypewithin the permissions setup.Name
The permission name (e.g.
MANAGE) within this structure dictates the level of access, mapping to specific actions that are otherwise restricted. The impact of these permissions extends across the hierarchy, affecting related object actions as detailed in the Available Permissions for Data Sources section.
Example
In a practical deployment scenario, the permissions definition for a data source object might look like this:
{
"dataSources": [
{
...,
"permissions": [
{
"assignee": {
"id": "admins",
"type": "userGroup"
},
"name": "MANAGE"
},
{
"assignee": {
"id": "john_smith",
"type": "user"
},
"name": "USE"
}
],
...
}
]
}
In this scenario, two types of permissions are defined:
- Everyone who is part of the
adminsuser group is allowed to view and alter data sources. - The user
john_smithis only allowed to list data source identifiers.
Data Source Identifiers
The USE permission gives the user access to data source identifiers, not the data sources themselves. This is to prevent exposing sensitive information about the data source database itself to the user.
See the Data Source Identifier section for more information.