Area: UI
Sub-Area: Permissions & Access Control
Issue
Users with edit permissions on datasets are unable to add notes to columns despite having the expected metadata editing capabilities through their assigned groups or roles. When clicking "Add Note" on a column, the option may appear disabled or unavailable. This occurs when the user lacks the specific platform privilege required for this feature.
You Might Be Asking:
- What privilege is needed to add notes to columns?
- Why can't users add notes even though they have edit rights on datasets?
- Is the privilege for adding column notes the same as creating home page announcements?
- How do I grant users the ability to add notes without giving them full admin access?
- Why can I see the "Add Note" button but get an error when I try to create a note?
Solution
The ability to add notes to columns requires the "Create Global Announcements" platform privilege. This privilege is included by default in the Admin and Editor roles, but not in the Reader role.
How the Feature Works:
When you click "Add Note" on a column, it creates an announcement (post) on that specific column entity. The system checks for either the MANAGE_GLOBAL_ANNOUNCEMENTS or CREATE_GLOBAL_ANNOUNCEMENTS privilege before allowing the action.
To Grant This Privilege:
Option 1: Assign Editor Role (recommended for users who need broader editing capabilities)
- Navigate to Settings > Users & Groups > Users
- Find the user who needs access
- Change their role from Reader to Editor
- The user will now have the "Create Global Announcements" privilege along with other editing capabilities
Option 2: Create a Custom Policy (for granular control)
- Navigate to Settings > Permissions > Policies
- Click "Create new policy"
- Configure the policy to grant the
MANAGE_GLOBAL_ANNOUNCEMENTSorCREATE_GLOBAL_ANNOUNCEMENTSprivilege - Apply the policy to specific users or groups who need only this capability
Verifying User Permissions:
If a user belongs to a group that should have edit rights, verify: - The group has a policy granting the appropriate privilege - The user is correctly added as a member of that group - Group-level permissions are properly configured in Settings > Permissions > Policies
Additional Notes
UI Behavior Quirk:
The "Add Note" button is visible to ALL users who can view the schema, including those with only the Reader role. This can be confusing because the button appears clickable even when users lack the required privilege. The permission check only occurs when the user clicks "Create" in the note creation modal. At that point, users without the proper privilege will see the error message:
"Unauthorized to create posts. Please contact your DataHub administrator..."
This behavior occurs because the SchemaEditableContext defaults to true and doesn't perform an upfront permission check. If users report seeing the "Add Note" button but receive an authorization error, this is the expected behavior - they need the "Create Global Announcements" privilege to actually create notes.
Important Distinction: The "Create Global Announcements" privilege is NOT the same as "Manage Home Page Posts": - Create Global Announcements: Allows adding notes/announcements to entity pages (datasets, columns, dashboards, etc.) - Manage Home Page Posts: Allows creating announcements on the DataHub home page
The naming is legacy from when entity notes were originally conceived as "entity announcements" that are visible across the platform.
Default Role Permissions: - Admin role: Has MANAGE_GLOBAL_ANNOUNCEMENTS ✓ - Editor role: Has MANAGE_GLOBAL_ANNOUNCEMENTS ✓ - Reader role: Does NOT have this privilege ✗
Related Documentation
Related Tickets
- #6290
Tags: permissions, privileges, create-global-announcements, entity-notes, column-notes, access-control, editor-role, reader-role, admin-role, metadata-editing, ui-permissions, rbac, unauthorized-error