Manage roles

Note Roles in Data Access are not the same as global or resource roles.

In Data Access, a role is a type of access control that grants identities access, such as Read, Write, or Admin, on data objects.

You can create a role to define who receives specific permissions on your selected data objects.

You can also edit an imported role. Editing an imported access control internalizes it. As a result, Data Access overwrites any further changes that are made to the access control in the data source.

Prerequisites

  • To create a role: You have a global role with the Data Access > Create Access Controls global permission, or you own any data object.
  • To edit a role: You have a global role with the Data Access > Create Access Controls global permission, or you own the role or all of its data objects.

Steps

  1. On the Data Access landing page, in the left pane, click ACCESS CONTROLS > Roles
  2. Do one of the following:
    •  To create a role: Click Create role. On the Create role page, enter the information, and then click Create.
    • To edit a role: Click the name of the role, and then click Edit. Edit the information, and then click Save or Internalize & Save (shown when you edit an imported role).

Result

  • Ownership: You become the owner of the access control that you created. You can add more owners by clicking Edit icon in the Owners field in the Details sidebar.
  • Synchronization: Data Access automatically triggers a synchronization to push the access control to the underlying data source. Until the access control is created or updated in the data source, the Sync status field in the Details sidebar shows Not connected (for a new access control) or Out of sync (for an edited access control). After the synchronization finishes, the synchronization status changes to Synced.
  • Unowned entities: If you selected a data object that you do not own, it is not added to the access control immediately. Instead, an access request is generated and assigned to the data object's owner. If the owner approves the access request, the data object is added to the access control. When this happens, the synchronization status of the access control changes to Out of sync briefly while Data Access pushes the changes to the data source. After the synchronization finishes, the synchronization status returns to Synced.

Guidance

Use this section to guide you when creating or editing a role. If the role was already created, on the role page, click Edit, and then complete the following sections.

General

In the General section, specify the basic properties of the role.

Field Description
Name

A unique display name for the role, for example, Finance Read.

Tip The technical name of an access control is used to generate the name of the corresponding access control in the underlying data source. By default, the technical name matches the display name. To specify a different technical name, use the Advanced option. This option applies only to data sources that use named entities to represent access controls. If you change the name in the Name field after generating a technical name, the corresponding access control in the underlying data source is renamed during the next synchronization.
Description

A brief explanation of the role's purpose, for example, Grants read-only access to Finance team.

Access granted

In the Access granted section, specify the data objects on which you want to grant access. You can also specify other roles, column masks, and row filters.

  1. In the What can be accessed section, click Add.
  2. In the Where does this role apply dialog box, select the data source for the role, and then click Continue.
  3. In the Which type of access do you want to grant dialog box, select one of the following options, and then click Continue.
    OptionDescription
    Data objectsGrants your role's beneficiaries specific access on the data objects that you specify.
    Dynamic ruleGrants your role's beneficiaries specific access on the data objects that meet the conditions that you specify.
    Roles

    Inherits access from the other roles that you specify. By selecting another role, you allow your role's beneficiaries to inherit the access that is provided by the other role.

    Masks

    Creates a local exception for the column masks that you specify. A column mask masks data in specific columns for everyone except its beneficiaries. The beneficiaries see unmasked data. By selecting a column mask, you allow your role's beneficiaries to see unmasked data, but in only those columns that belong to the tables on which your role grants access.

    Row filters

    Links your role to the row filters that you specify. A row filter hides all rows in a specific table or view from everyone except its beneficiaries. The beneficiaries see rows that meet specific filter criteria. By selecting a row filter, you allow your role's beneficiaries to see the filtered rows.

    Tip Adding other access controls to your role is how you build inheritance, wherein your role automatically inherits the permissions and exceptions of the other access controls.
  4. If you selected Data objects, Roles, Column masks, or Row filters, select one or more data objects, roles, column masks, or row filters on which you want to grant access, and then click Add. The default permission for the selected data objects is Read, and the default expiration date for the selected access controls is Unlimited. The expiration date indicates when access is officially revoked.
  5. If you selected Dynamic rule:
    1. In the Where does the dynamic rule apply dialog box, select the data objects (from the same data source) that you want to be included in the rule, and then click Continue.
    2. In the Which conditions should apply dialog box, enter the required information, and then click Add.
      Tip 
      • The available options in the Key field include the tag keys that are imported from all the connected data sources.
      • You can add more conditions and combine them by using the AND or OR logic.
      • You can preview the results by clicking See results. The results show the data objects that currently meet the tag conditions. This allows you to validate the scope of your dynamic rule before it is applied to your data sources.
  6. To check or edit the permissions for the data objects:
    1. In the What can be accessed section, in the Permissions column, double-click the current value.
      The Edit permissions dialog box appears. The underlying permissions for each permission group (Read, Write, and Admin) are indicated by checkboxes. The permissions and their descriptions vary by data source.
    2. To select more permissions, select the corresponding checkboxes. If you want to entirely exclude the permission group, click the corresponding tab.
    3. To select other permission groups such as Write or Admin, click the corresponding tabs. Clicking the tab again clears your selection.
  7. To change the expiration date (which indicates when access is revoked) for the access controls:
    1. In the Expires at column, double-click the current value.
    2. In the Edit expires at dialog box, select the new expiration date, and then click Apply.
Tip 
  • Remember to save your changes.
  • You can view all the data objects that are explicitly assigned to the role, as well as those that are inherited from any linked roles, by clicking Show all in the Access granted section.

Beneficiaries

In the Beneficiaries section, specify the identities to whom you want to grant access. You can also specify groups and other roles.

  1. In the Who has access section, click Add.
  2. In the Which type of beneficiary do you want to add dialog box, select one of the following options, and then click Continue.
    OptionDescription
    IdentitiesGrants the identities that you specify access on the data objects.
    GroupsGrants the identities within the groups that you specify access on the data objects.
    Dynamic rule

    Grants the identities that meet the conditions that you specify access on the data objects.

    RolesGrants the beneficiaries of the other roles that you specify access on the data objects.
  3. If you selected Identities, Groups, or Roles, select one or more identities, groups, or roles, and then click Add.
  4. If you selected Dynamic rule, in the Which conditions should apply dialog box, enter the required information, and then click Continue.
  5. To change the expiration date (which indicates when access is revoked) for the beneficiaries:
    1. In the Expires at column, double-click the current value.
    2. In the Edit expires at dialog box, select the new expiration date, and then click Apply.
Tip 
  • Remember to save your changes.
  • You can view all the identities that are explicitly assigned to the role, as well as those that are inherited from groups and any linked roles, by clicking Show all in the Beneficiaries section.

Related topics