Data source-specific permissions

Before you can start ingesting metadata, ensure that you meet the required permissions for your specific data source.

Important

Ensure that you meet the Azure Data Factory-specific permissions described in Set up Azure Data Factory.

You need read access on information_schema. Only views that you own are processed.

You need read access on the SYS schema.

If you are using the lineage harvester, you need read access on information_schema:

bigquery.datasets.get
bigquery.tables.get
bigquery.tables.list
bigquery.jobs.create
bigquery.routines.get
bigquery.routines.list

If you are using Edge, you also need:

resourcemanager.projects.get
bigquery.readsessions.create
bigquery.readsessions.getData

SELECT, at table level. Grant this to every table for which you want to create a technical lineage.
Read access to the SYS schema or the tables in the schema.

Ensure that your service account token has the Read-Only permission.

Ensure that you have the permission to copy the target/ directory, which is generated by running the dbt compile command, to a local folder.

You need Monitoring role permissions.

A role with the LOGIN option.

SELECT WITH GRANT OPTION, at Table level.

CONNECT ON DATABASE

You need read access on the SYS schema and the View Definition Permission in your SQL Server.

You need read access on definition_schema.

GRANT SELECT, at table level. Grant this to every table for which you want to create a technical lineage.
The role of the user that you specify in the username property in lineage harvester configuration file must be the owner of the views in PostgreSQL.

You need read access on the DBC.

You need read access to the following dictionary views:

all_tab_cols
all_col_comments
all_objects
ALL_DB_LINKS
all_mviews
all_source
all_synonyms
all_views

Your user role must have privileges to export assets.
You must have read permission on all assets that you want to export.

You have at least a Matillion Enterprise license.
You have generated the Matillion certificate. For more information, go to Recreating self-signed SSL certificates on a Matillion ETL instance.
You have added the Matillion certificate to a Java truststore. For more information about adding a certificate to a Java truststore, go to Add a Certificate to a Truststore Using Keytool.
If you encounter the javax.net.ssl.SSLHandshakeException: General SSLEngine problem error message, go to Data Source Name Failed exception with Tableau & technical lineage in Collibra Support Portal for a solution.

The following permissions are required, regardless of the ingestion mode: SQL or SQL-API.

Ensure that the Snowflake user has the appropriate allowed host list. For details, go to Allowing Hostnames in Snowflake documentation.
You need a role that can access the Snowflake shared read-only database. To access the shared database, the account administrator must grant the IMPORTED PRIVILEGES privilege on the shared database to the user that runs the lineage harvester.
If the default role in Snowflake does not have the IMPORTED PRIVILEGES privilege, you can use the customConnectionProperties property in the lineage harvester configuration file to assign the appropriate role to the user. For example:
"customConnectionProperties": "role=METADATA"

The source code files must be in the same directory as your JSON files. For complete information, go to Working with custom technical lineage.
To stitch the data objects of your data sources with Data Catalog assets, you need to register your data sources in Data Catalog. When you then prepare the Data Catalog physical data layer, ensure that you use a structure that matches the structure of ingested assets in Data Catalog.
Determine whether you want to use the single-file or batch definition option.
If you choose the single-file definition option, determine whether you want to create a simple or advanced custom technical lineage.

Before you start the Power BI integration process, you have to perform a number of tasks in Power BI and Microsoft Azure. These tasks, which are performed outside of Collibra, are needed to enable the lineage harvester to reach your Power BI application and collect its metadata. For complete information, go to Set up Power BI.

Collibra Data Lineage supports:

Power BI on the Microsoft Power Platform.
Power BI on Fabric.

The configuration requirements and the integration are the same, regardless of your setup.

Before you start the Tableau integration process, you have to perform a number of tasks in Tableau. For complete information, go to the following topics:

You need the following roles, with user access to the server from which you want to ingest:

A system-level role that is at least a System user role.
An item-level role that is at least a Content Manager role.

We recommend that you use SQL Server 2019 Reporting Services or newer. We can't guarantee that older versions will work.

Before you start the Looker integration process, you need to set up Looker.

The following permissions apply only to MicroStrategy on-premises customers.

You need the following Admin API permissions:
1. The first call we make to MicroStrategy is to authenticate. We connect to:
  <MSTR URL>:<Port>/MicroStrategyLibrary/api-docs/ and use GET api/auth/login.
  For complete information, see the MicroStrategy documentation.
  If this API call can be made successfully, you can ingest the metadata.
2. The same connection:
  <MSTR URL>:<Port>/MicroStrategyLibrary/api-docs/, but with GET api/model/tables/<tableId>.
  For complete information, see the MicroStrategy documentation.
  This endpoint is needed to create lineage and stitching.
You need permissions to access the library server.
The lineage harvester uses port 443. If the port is not open, you also need permissions to access the repository.
If you have a MicroStrategy on-premises environment, you need the permissions for all of the database objects that the lineage harvester accesses.
You have to configure the MicroStrategy Modeling Service. For complete information, see the MicroStrategy documentation.

Necessary permissions to all database objects that the lineage harvester accesses.

Show me the data source-specific permissions

Data source	Required permissions
Amazon Redshift	You need read access on information_schema. Only views that you own are processed.
Azure Data Factory	Ensure that you meet the Azure Data Factory-specific permissions described in Set up Azure Data Factory.
Azure SQL server	You need read access on the SYS schema.
Azure Synapse Analytics	SELECT, at table level. Grant this to every table for which you want to create a technical lineage. Read access to the SYS schema or the tables in the schema.
Google BigQuery	If you are using the lineage harvester, you need read access on information_schema: bigquery.datasets.get bigquery.tables.get bigquery.tables.list bigquery.jobs.create bigquery.routines.get bigquery.routines.list If you are using Edge, you also need: resourcemanager.projects.get bigquery.readsessions.create bigquery.readsessions.getData
Greenplum	A role with the LOGIN option.
HiveQL	SELECT WITH GRANT OPTION, at Table level.
IBM DB2	CONNECT ON DATABASE
Informatica Intelligent Cloud Services	Your user role must have privileges to export assets. You must have read permission on all assets that you want to export.
Matillion	You have at least a Matillion Enterprise license. You have generated the Matillion certificate. Ensure that the certificate is signed by a certificate authority. Self-signed certificate is not supported when you create technical lineage via Edge. You have added the Matillion certificate to a Java truststore. For more information about adding a certificate to a Java truststore, go to Add a Certificate to a Truststore Using Keytool.
Microsoft SQL Server	You need read access on the SYS schema and the View Definition Permission in your SQL Server.
MySQL	SELECT, at table level. Grant this to every table for which you want to create a technical lineage. Read access to the SYS schema or the tables in the schema.
Netezza	You need read access on definition_schema.
Oracle	You need read access to the following dictionary views: all_tab_cols all_col_comments all_objects ALL_DB_LINKS all_mviews all_source all_synonyms all_views
PostgreSQL	GRANT SELECT, at table level. Grant this to every table for which you want to create a technical lineage. The role of the user that you specify in the `username` property in lineage harvester configuration file must be the owner of the views in PostgreSQL.
Snowflake	The following permissions are required, regardless of the ingestion mode: `SQL` or `SQL-API`. You need a role that can access the Snowflake shared read-only database. To access the shared database, the account administrator must grant the IMPORTED PRIVILEGES privilege on the shared database to the user that runs the lineage harvester. If the default role in Snowflake does not have the IMPORTED PRIVILEGES privilege, you can use the `customConnectionProperties` property in the lineage harvester configuration file to assign the appropriate role to the user. For example: `"customConnectionProperties": "role=METADATA"`
Teradata	You need read access on the DBC.

Warning Collibra Data Lineage uses the API 4.0 endpoints GET /queries/<query_id> and GET /running_queries. Due to a security update by Looker, the behavior of these endpoints has changed. Therefore, you must now:

Select the "Disallow Numeric Query IDs" option in Looker.
Ensure that your Looker user has the Admin role.

For complete information, see the Looker Query ID API Patch Notice.