Manage role categories

Note Roles in Data Access are not the same as global or resource roles.

In Data Access, a role is the most common type of access control. It is used to grant users access on specific data objects. However, managing thousands of generic roles can be difficult. With role categories, you can label and organize your roles into meaningful business concepts.

Data Access has a default role category named Role. This default role category is also used to identify the roles that are imported from your data sources. You can create your own role categories to support different structural levels of access. You can also apply specific behavioral rules to the roles that are created in a given role category, such as restricting the roles to a single or multiple data sources, limiting beneficiary assignments exclusively to groups or individual identities, and controlling whether and from where they inherit access.

Note You can view or manage role categories only if you have a global role with the Data Access > Manage Settings global permission, for example, the Data Access Admin global role.

Use cases

You can use role categories to build a hierarchy of access, differentiating between low-level technical roles and high-level business roles.

  • Data Products: You can create a category specifically for Data Products. This category is often used for low-level roles that are provisioned by data engineers and are sometimes managed externally through tools such as Terraform. Grouping such roles into the Data Product category helps consumers search for available Data Products and request access to them.
  • Purposes: You can create a category to implement Purpose-Based Access Control (PBAC). For example, a business user might need to build a report that requires data from multiple Data Products across different platforms. The user can then create a high-level purpose role, request that the necessary Data Products be added to it, and then independently manage which team members get access to that purpose.

Create a role category

Prerequisites

You have a global role with the Data Access > Manage Settings global permission.

Steps

  1. On the Data Access landing page, in the left pane, click Settings.
  2. On the Role categories page, click Add role category.
  3. On the Add role category dialog box, enter the required information.
    FieldDescription
    IconA visual symbol to represent the category.
    NameA unique display name for the category, for example, Data Product or Purpose.
    Plural nameThe plural form of the category name, for example, Data Products or Purposes.
    Description A brief explanation of the category's purpose.
    Role creationDetermines whether users can create roles in this category.
    Duplicate namesDetermines whether multiple roles can have the same name.
    Mandatory descriptions

    Determines whether users are required to provide a description when creating roles.

    Grant access on
    Data objectsDetermines whether the roles can grant access on data objects.
    Multiple data sourcesDetermines whether the roles can grant access across multiple data sources.
    Grant access to
    IdentitiesDetermines whether the roles can be assigned to identities.
    GroupsDetermines whether the roles can be assigned to groups.
    Inheritance

    Determines whether the roles can inherit access and, if so, whether they inherit from any role category or from specific role categories.

  4. Click Create.
    The role category is created. Users can now create roles in this category.