Permissions and ownership

In Data Access, what you can see and do is determined by a combination of your global permissions and specific ownership rights. While global permissions provide broad access, ownership, which is managed directly in Data Access, provides granular, targeted control over individual data sources, data objects, and access controls.

Important Anyone working on Data Access needs the Product Rights → Data Access global permission to access the Data Access product itself.

Global roles

The following table describes the Data Access global roles.

Global role	Default global permissions	Description
Data Access User	Product Rights → Data Access	Access the Data Access product.
Data Access Creator	Product Rights → Data Access Data Access → Create Access Controls	Create access controls, even if you don't own any data object.
Data Access Observer	Product Rights → Data Access Data Access → View All Access And Usage	View all access controls and access requests, and monitor access and usage of all data, even if you aren't the owner. This includes details on who has access to what, issues, audit logs, and more.
Data Access Manager	Product Rights → Data Access Data Access → Manage All Access	Manage all access controls, and monitor access and usage of all data. This permission provides the same capabilities as if you were the owner of all data sources, data objects, and access controls. Therefore, it should be assigned carefully.
Data Access Admin	Product Rights → Data Access Data Access → Manage Settings	Manage the Data Access settings and add data sources.
Data Access Integrator	Product Rights → Data Access	Allow service accounts to build custom integrations for Data Access. This includes calling the import, export, and job APIs that are needed to run a sync.

Global permissions

The following table describes the Data Access global permissions.

Global permission	License	Description
Product Rights → Data Access	Viewer	Access the Data Access product.
Data Access → Create Access Controls	Creator	Create access controls, even if you don't own any data object. This global permission is used by Data Product Owners and Data Stewards to manage data access, column masks, and row filters.
Data Access → View All Access And Usage	Viewer	View all access controls and access requests, and monitor access and usage of data, even if you aren't the owner. This includes details on who has access to what, issues, audit logs, and more. This global permission is used by Chief Data Officer, Chief Information Officer, Chief Information Security Officer, or Auditor to centrally monitor data access and usage. In a future release, you will be able to monitor the access and usage of data.
Data Access → Manage All Access	Creator	Manage all access controls, and monitor access and usage of data. This permission provides the same capabilities as if you were the owner of all data sources, data objects, and access controls. Therefore, it should be assigned carefully. This global permission is used by your super user to manage Data Access. Limit this to as few users as possible.
Data Access → Manage Settings	Creator	Manage the Data Access settings and add data sources.
Data Access → Call Sync APIs	Creator	This permission is reserved for a feature that is not yet available. Allow service accounts to build custom integrations for Data Access. This includes calling the import, export, and job APIs that are needed to run a synchronization. Service accounts can be used to manage access as code, create data access and usage monitoring reports, and build Data Access AI agents.

Ownership

You can be the owner of a data source, data object, or access control. You become the owner of a data source when you add it to Data Access, or when the current owner makes you the owner of their data source. Similarly, you become the owner of an access control when you create it in Data Access, or when the current owner makes you the owner of their access control.

The following table describes the capabilities of each ownership level.

Ownership level	Capabilities
Data source	As the owner of a data source, you can: Edit the details of your data source. Delete your data source. Manually start a sync of your data source. Additionally, you become the owner of all the data objects in your data source.
Data object	As the owner of a data object, you can: Give access to your data object to others by creating or editing access controls. This means that if you are the owner of any data object, you can create access controls or edit your own access controls even without the Data Access → Create Access Controls global permission. View who has access to your data object. Get assigned to any access requests for your data object. Remove your data object from any access control at any time to revoke access, even if you don't own the access control itself. Additionally, you become the owner of all the data objects that are descendants of your data object.
Access control	As the owner of an access control, you can: Edit your access control, including the name and the "who" definition. If you add or edit the data objects and access controls that you don't own, an access request is generated for the respective owners for approval. Delete your access control. View the complete "who" and "what" definitions of your access control. View the audit log and issues associated with your access control. Note If you own all of the data objects in an access control that is created by someone else, you automatically gain permissions to view and edit the "who" definition, delete the access control, edit the access control name, and perform other actions—as if you were the owner of the access control itself.

Ownership level

Capabilities

Data source

As the owner of a data source, you can:

Edit the details of your data source.
Delete your data source.
Manually start a sync of your data source.

Additionally, you become the owner of all the data objects in your data source.

Data object

As the owner of a data object, you can:

Give access to your data object to others by creating or editing access controls. This means that if you are the owner of any data object, you can create access controls or edit your own access controls even without the Data Access → Create Access Controls global permission.
View who has access to your data object.
Get assigned to any access requests for your data object.
Remove your data object from any access control at any time to revoke access, even if you don't own the access control itself.

Additionally, you become the owner of all the data objects that are descendants of your data object.

Access control

As the owner of an access control, you can:

Edit your access control, including the name and the "who" definition. If you add or edit the data objects and access controls that you don't own, an access request is generated for the respective owners for approval.
Delete your access control.
View the complete "who" and "what" definitions of your access control.
View the audit log and issues associated with your access control.

Note If you own all of the data objects in an access control that is created by someone else, you automatically gain permissions to view and edit the "who" definition, delete the access control, edit the access control name, and perform other actions—as if you were the owner of the access control itself.