Area: Product
Sub-Area: Access Management
Issue
Users experience unexpected permission behavior, including retained privileges after role changes, inability to perform expected actions with their assigned role, or confusion about role-based access controls.
Solution
Note: For DataHub Cloud customers, infrastructure-level changes (Kubernetes, AWS resources, operating system configurations) are managed by DataHub Support. The solutions below focus on configuration changes that customers can implement.
Understand role change caching:
- Permission changes may be cached for a few minutes
- After changing roles, wait 5-10 minutes or clear browser cache and log out/in
- Cached privileges from previous roles will expire automatically
Verify role assignments:
- Check Settings → Users & Groups to confirm current role assignment
- Ensure the user is not a member of multiple groups with conflicting permissions
- Review active policies that may grant additional privileges
Check ownership vs role permissions:
- Asset owners have edit permissions regardless of their role
- If a user can edit despite being a Reader, check if they are listed as an owner
- Remove ownership to enforce role-based permissions only
Review group-based permissions:
- All group members inherit group-level permissions
- Check if the user is part of a group with elevated privileges
- Group permissions override individual role restrictions in most cases
Understand default role capabilities:
- Reader: View-only access, cannot edit or publish
- Editor: Can edit metadata, add tags, documentation
- Admin: Full platform administration capabilities
Additional Notes
Always backup your DataHub configuration before making changes. Test solutions in a non-production environment when possible.
Related Documentation
Related Tickets: - 5829, 5814, 5718, 5638, 5937, 5921, 5908, 5779
Related Tickets
- 5829, 5814, 5718, 5638, 5937, 5921, 5908, 5779
Tags:
permissions, rbac, access-control, troubleshooting