Area: Product Issues
Sub-Area: Ingestion Source Access Control & Policy Configuration
Issue
Administrators may need to grant certain users or teams the ability to trigger (run) an ingestion source on demand without allowing them to view or modify the underlying recipe, credentials, schedule, or other configuration. By default, it may not be obvious that DataHub supports this level of granularity for ingestion source permissions, or that a feature flag must be enabled before resource-scoped ingestion policies take effect in the UI.
You Might Be Asking
- Can I let a user run an ingestion pipeline without letting them edit the recipe or secrets?
- Does granting "Execute" on an ingestion source also grant "Edit" access?
- Why aren't my resource-scoped ingestion source policies appearing or taking effect in the UI?
- What feature flag is required to enable fine-grained ingestion source privileges?
Solution
-
Understand the four independently grantable ingestion source privileges.
DataHub supports four separate, resource-level privileges on the
dataHubIngestionSourceentity type. Each is independently grantable and none implies any other:- View — Allows a user to see the ingestion source and its metadata in the UI.
- Edit — Allows a user to modify the ingestion source configuration, including the recipe, schedule, and secrets.
- Delete — Allows a user to remove the ingestion source entirely.
- Execute — Allows a user to trigger/run the ingestion source. This is the run-only permission; users can kick off a pipeline but cannot view or modify the underlying recipe, credentials, or configuration.
Granting
Executedoes not implyEdit. These are completely separate privileges. -
Enable the required feature flag.
Resource-scoped ingestion source policies require the
VIEW_INGESTION_SOURCE_PRIVILEGES_ENABLEDfeature flag to be activated in your DataHub deployment. This flag is not enabled by default. For DataHub Cloud deployments, contact your DataHub support or customer success team to have this flag enabled in your target environment(s).# Feature flag required for fine-grained ingestion source privileges: VIEW_INGESTION_SOURCE_PRIVILEGES_ENABLED=true -
Create a custom resource-scoped policy granting only Execute (and optionally View).
Once the feature flag is enabled, navigate to Settings > Policies in the DataHub UI and create a new policy with the following configuration:
- Policy Type: Metadata Policy
-
Resource Type: Ingestion Source (
dataHubIngestionSource) - Resources: Select specific ingestion source(s) or choose "All" to apply broadly
-
Privileges: Check
Execute(andViewif users need to see the source in the UI). LeaveEditandDeleteunchecked. - Users/Groups: Assign the policy to the intended users or groups.
Users assigned this policy will be able to trigger ingestion runs but will not be able to alter the recipe, schedule, or any associated secrets.
-
Consider the impact on existing broad policies.
Once the feature flag is enabled, any policy scoped to "All" resource types will automatically include ingestion sources. This means that users with default read-all or broad metadata policies may gain visibility into the Data Sources page. If you have view-only users who should not see ingestion sources, review and tighten your existing policies before enabling the flag in production environments.
The recommended rollout approach is:
- Enable the flag in a non-production (development or staging) environment first.
- Validate policy behavior and UI visibility for all relevant user groups.
- Adjust any broad policies as needed.
- Roll out the flag to production once the configuration is confirmed.
-
Verify the policy is working as expected.
Log in as a test user who has been granted only the
Executeprivilege on the ingestion source. Confirm that:- The user can trigger a run of the ingestion source.
- The user cannot access or modify the recipe, credentials, or schedule.
- The user cannot delete the ingestion source.
Additional Notes
The VIEW_INGESTION_SOURCE_PRIVILEGES_ENABLED feature flag must be enabled per environment (e.g., separately for development and production). This is a supported capability, not a workaround. As of the time of writing, enabling this flag on DataHub Cloud requires coordination with the DataHub support team; self-service flag management may vary depending on your deployment type and version. Additionally, once enabled, the ingestion tab becomes visible to any user who has default view access through a broad "All resources" policy — audit your existing policies before enabling in production to avoid unintended exposure of ingestion source metadata.
Related Documentation
Tags: ingestion, permissions, access-control, policies, execute-ingestion, resource-scoped-policies, feature-flag, ingestion-source, role-management, least-privilege