Area: Product
Sub-Area: Access Management
Issue
Users need clarification on how group-level permissions, ownership, and task assignments work in DataHub, specifically whether permissions and assignments propagate from groups to individual member users, and what the functional differences are between group owners and group members.
You Might Be Asking:
- Do tasks assigned to a group appear for all group members?
- If a group owns a dataset, do members inherit those permissions?
- What privileges distinguish a group owner from a group member?
- Are there cases where group permissions don't propagate to users?
- What are best practices for group-level assignments?
Solution
DataHub group permissions and assignments propagate to all group members with few exceptions.
Tasks and Notifications:
✅ Tasks assigned to a group ARE visible to all members - When a task is assigned to a group, every member sees it in their task list - All members can act on the task - Completing the task affects the group-level assignment
Dataset Ownership and Permissions:
✅ Group ownership grants permissions to all members - If a group is assigned as owner of a dataset, all group members inherit ownership permissions - Members can edit metadata, manage tags, and perform owner-level actions - Permissions are automatically granted/revoked as users join/leave the group
Group Owner vs. Group Member:
Group Owner Privileges: - Manage group membership (add/remove users) - Update group metadata (name, description) - All other permissions same as regular members
Group Member Privileges: - View group information - Receive group-level assignments and notifications - Inherit all group permissions and ownership - Cannot manage membership
The Only Difference: Membership management capability
Permission Propagation Rules:
✅ Permissions that propagate: - Dataset ownership - Role-based access control (RBAC) policies - Task assignments - Notification settings - Privileges granted to the group
❌ No known exceptions: - All group-level permissions apply to members - There are no documented cases where propagation fails
Configuration Example:
# Assign ownership to a group
mutation {
addOwners(
input: {
owners: [
{
ownerUrn: "urn:li:corpGroup:data-engineers",
type: TECHNICAL_OWNER
}
],
resourceUrn: "urn:li:dataset:(urn:li:dataPlatform:snowflake,db.schema.table,PROD)"
}
)
}
# Create a task for a group
mutation {
createTask(
input: {
name: "Review data quality",
assigneeUrn: "urn:li:corpGroup:data-engineers",
dueDate: "2025-12-31"
}
) {
urn
}
}
Best Practices:
- Use groups for team-based ownership rather than individual assignments
- Assign group owners to distribute membership management responsibility
- Leverage groups for RBAC policies to simplify permission management
- Document group purposes in the group description
- Regularly audit group memberships to ensure they reflect current team structures
Additional Notes
- Group changes (membership, ownership) may take a few minutes to propagate through the system
- Groups can be synchronized from external identity providers (LDAP, Active Directory, Okta)
- Nested groups are not currently supported
- Group deletion requires removing all ownership assignments first
Related Documentation
Related Tickets
- 5358
Tags: groups, permissions, access-management, rbac, ownership, tasks, notifications, group-members, authorization