Area: Deployment
Sub-Area: Authorization
Issue
Role-Based Access Control (RBAC) policies configured in DataHub are not being enforced, users have incorrect permissions, or policy changes are not taking effect immediately. This commonly occurs due to policy evaluation order, incorrect actor specification, or caching issues.
Common Error Messages:
Access denied: insufficient permissionsUser not authorized to perform actionPolicy evaluation failed
You Might Be Asking:
- How do I restrict access to specific datasets?
- Why can users still see data after I restricted it?
- How do DataHub policies work?
Solution
- Create a basic access policy via UI:
1. Navigate to Settings → Permissions → Policies
2. Click "Create Policy"
3. Configure:
- Type: Metadata (for read/write) or Platform (for admin)
- Name and description
- Resources: Which assets (datasets, dashboards, etc.)
- Privileges: What actions (View, Edit, Delete, etc.)
- Actors: Who (users, groups, roles)
4. Activate policy
5. Clear cache or wait ~1 minute for policy to take effect
- Create policy via GraphQL:
mutation createPolicy {
createPolicy(
input: {
type: METADATA
name: "Finance Team Dataset Access"
description: "Allow finance team to view finance datasets"
state: ACTIVE
resources: {
filter: {
criteria: [
{
field: "RESOURCE_TYPE"
values: ["dataset"]
},
{
field: "TAG"
values: ["urn:li:tag:Finance"]
}
]
}
}
privileges: ["VIEW_DATASET_PROFILE", "VIEW_DATASET_USAGE"]
actors: {
users: ["urn:li:corpuser:john.doe"]
groups: ["urn:li:corpGroup:finance-team"]
}
}
)
}
- Common policy patterns:
# Restrict PII data to specific team
Resources:
- Type: dataset
- Tag: PII
Privileges:
- VIEW_DATASET_PROFILE
Actors:
- Group: data-governance-team
# Allow domain owners to edit their domain's assets
Resources:
- Type: dataset
- Domain: Marketing
Privileges:
- EDIT_DATASET_PROPERTIES
- EDIT_TAGS
- EDIT_OWNERS
Actors:
- Domain: Marketing (all members)
# Restrict delete permissions to admins only
Resources:
- Type: ALL
Privileges:
- DELETE
Actors:
- Role: Admin
- Debug policy issues:
# Check policy evaluation logs
kubectl logs deployment/datahub-gms | grep "policy\|authorization"
# Verify user's effective permissions
curl -X POST http://localhost:8080/api/graphql \
-H "Authorization: Bearer USER_TOKEN" \
-d '{"query": "{ me { privileges } }"}'
# Clear policy cache
curl -X POST http://localhost:8080/api/v2/system/clearCache \
-H "Authorization: Bearer ADMIN_TOKEN"
- Policy evaluation order:
DataHub evaluates policies in this order:
1. Platform policies (admin-level)
2. Metadata policies (resource-level)
3. Default deny (if no policy grants access)
Most specific policy wins:
- Resource-specific > Resource type > All resources
- User-specific > Group-specific > All users
Additional Notes
Policies may take up to 1 minute to propagate due to caching. Users need to refresh their session (logout/login) to see new permissions take effect. Use the "Simulate Policy" feature in UI to test policies before activation.
Related Documentation
Tags:
rbac, policies, permissions, authorization, access-control, security, groups, roles, privileges