Manage Data Sources Permissions

Permissions for Data Sources define who can view, add, and utilize Data Sources in your GoodData deployment.

Available Permissions for Data Sources

`USE`

With the USE permission, users can see the identifiers associated with data sources but not access the actual data sources. This approach helps protect sensitive details about the data source databases from being disclosed.

See the Data Source Identifier section for more information.

`MANAGE`

Enables users to modify the data source, including its schema and connection credentials.

How to Set Permissions for Data Sources

Permissions for Data Sources can be configured via the /API/v1/layout/dataSources or /API/v1/layout/organization declarative API endpoints. To modify the dataSource or organization layouts, you must have the Organization.MANAGE permission.

Steps:

Follow these steps to update your data source permissions through an API call:

Fetch the Current Data Source Layout

Execute the following API call to retrieve the current json definition of your data source layout:

curl -H "Authorization: Bearer $API_TOKEN" \
     -H "Content-Type: application/json" \
     -X GET \
     $HOST_URL/api/v1/layout/dataSources

Modify the Permissions in the JSON File

In the returned data source layout json file, locate and update the permissions section as needed:

{
  "dataSources": [
    {
      ...,            
      "permissions": [
        {
          "assignee": {
            "id": "<user_id_or_user_group_id>",
            "type": "<user_or_userGroup>"
          },
          "name": "<MANAGE_or_USE>"
        }
      ],
      ...
    }
  ]
}

Update the Data Source Layout

Update the data source layout with your modified json file using the following API call:

curl -H "Authorization: Bearer $API_TOKEN" \
    -H "Content-Type: application/json" \
    -X PUT \
    $HOST_URL/api/v1/layout/dataSources -d @<your_updated_data_source_layout>.json

Permissions JSON Structure

Object
The object (dataSources in the example above) contains the permissions definition, establishing the relationship between the object, its permissions, and the assignees.
Permissions Definition
The type of permissions you want to assign to users. Keep it as permissions if you are assigning data source permissions, but in case of workspaces, you can also use the hierarchyPermissions definition. See the Manage Workspace Permissions section for details.
Assignee
An assignee refers to either a user or a user group, identified by their id and specified by type within the permissions setup.
Name
The permission name (e.g. MANAGE) within this structure dictates the level of access, mapping to specific actions that are otherwise restricted. The impact of these permissions extends across the hierarchy, affecting related object actions as detailed in the Available Permissions for Data Sources section.

Example

In a practical deployment scenario, the permissions definition for a data source object might look like this:

{
    "dataSources": [
        {
        ...,            
        "permissions": [
            {
                "assignee": {
                    "id": "admins",
                    "type": "userGroup"
                },
                "name": "MANAGE"
            },
            {
                "assignee": {
                    "id": "john_smith",
                    "type": "user"
                },
                "name": "USE"
            }
        ],
        ...
        }
    ]
}

In this scenario, two types of permissions are defined:

Everyone who is part of the admins user group is allowed to view and alter data sources.
The user john_smith is only allowed to list data source identifiers.

Data Source Identifiers

The USE permission gives the user access to data source identifiers, not the data sources themselves. This is to prevent exposing sensitive information about the data source database itself to the user.

See the Data Source Identifier section for more information.

Organization

Workspace