Area: API
Sub-Area: Authentication & Authorization
Issue
Users with reader or editor roles receive a "403 Unauthorized" error when attempting to create personal access tokens via the GraphQL API. The error message states "Unauthorized to perform this action. Please contact your DataHub administrator." This issue occurs even when the user token appears valid and works for other operations.
Common Error Messages:
Unauthorized to perform this action. Please contact your DataHub administrator."code": 403, "type": "UNAUTHORIZED", "classification": "DataFetchingException"
You Might Be Asking:
- Can editor or reader users create personal access tokens?
- Why does my token work for some operations but not for creating new tokens?
- What's the difference between creating tokens for myself vs. for other users?
Solution
Personal access token creation in DataHub requires specific privileges:
- To create tokens for yourself: You need the "Generate Personal Access Tokens" privilege
- To create tokens for other users: You need the "Manage All Access Tokens" privilege (typically admin-only)
Important distinction: - Editors CAN create personal access tokens for themselves if they have the "Generate Personal Access Tokens" privilege - Readers typically cannot create tokens - Only users with "Manage All Access Tokens" can create tokens on behalf of other users
When using the createAccessToken mutation, ensure the actorUrn parameter matches your own user URN if you're not an admin:
mutation {
createAccessToken(input: {
type: PERSONAL,
actorUrn: "urn:li:corpuser:YOUR_USERNAME", # Use your own username
duration: NO_EXPIRY,
name: "My Token Name",
description: "Token description"
}) {
accessToken
}
}
Additional Notes
- By design, DataHub restricts token creation to maintain security
- If you need to create tokens for service accounts or other users, contact your DataHub administrator to request admin privileges
- Token permissions are separate from general read/write permissions on datasets
Related Documentation
Related Tickets
- 5565
Tags:
personal-access-token, authentication, authorization, graphql-api, 403-error, privileges, permissions, api-security