Area: Product Issues
Sub-Area: Permissions & Access Control — Ingestion Sources
Issue
Administrators want to grant certain users the ability to view ingestion source details, run history, logs, and configuration without providing full administrative privileges. Prior to DataHub v0.3.12, the only way to expose the Data Sources (Ingestion) menu to non-admin users was to assign the platform-level Manage Metadata Ingestion privilege, which also grants the ability to create, edit, delete, and execute ingestion sources. A dedicated view-only permission for ingestion sources allows organizations to create a class of read-only observers who can monitor ingestion health and troubleshoot issues without the risk of accidental or unauthorized configuration changes.
You Might Be Asking
- How do I let users see ingestion sources and logs without giving them edit access?
- Is there a way to grant read-only access to the Data Sources menu in DataHub?
- What policy setting controls view-only permissions for ingestion sources?
- Can I restrict ingestion access so users can only view, not modify, data source configurations?
Solution
DataHub supports granular, per-source ingestion permissions introduced in v0.3.12. These permissions are controlled through a Metadata Policy targeting the Ingestion Source resource type. Follow the steps below to configure view-only access.
Step 1: Enable the Feature Flag (Self-Hosted Deployments)
On DataHub Cloud (managed), this capability may already be enabled for your environment. For self-hosted deployments, the feature is gated behind a flag that must be set explicitly:
datahub-gms:
extraEnvs:
- name: VIEW_INGESTION_SOURCE_PRIVILEGES_ENABLED
value: "true"
After updating your deployment configuration, restart the datahub-gms service for the change to take effect.
Step 2: Create a Metadata Policy for View-Only Ingestion Access
- Navigate to Settings > Permissions > Policies in the DataHub UI.
- Click Create Policy.
- Select Metadata Policy as the policy type.
- Under Resource Type, select Ingestion Source.
- Under Privileges, select View Entity.
- Under Actors, assign the policy to the appropriate users or groups who should have view-only access.
- Save and activate the policy.
Available Ingestion Source Privileges (for reference)
VIEW_ENTITY_PRIVILEGE — View ingestion source details, configurations, run history, and logs (read-only)
EDIT_ENTITY_PRIVILEGE — Modify ingestion source configurations
DELETE_ENTITY_PRIVILEGE — Delete ingestion sources
EXECUTE_ENTITY_PRIVILEGE — Trigger ingestion runs
Assigning only VIEW_ENTITY_PRIVILEGE ensures that users can observe ingestion activity without being able to create, edit, delete, or execute any ingestion source.
What View-Only Users Can Access
- The Data Sources UI page and ingestion source listing
- Ingestion source configurations (read-only)
- Ingestion run history and execution logs
- Remote executor assignments and details
View-only users cannot create, edit, delete, or manually execute ingestion sources.
Additional Notes
- This feature was introduced in DataHub v0.3.12 as part of the Data Source Management redesign. Versions prior to v0.3.12 do not support granular ingestion source privileges; the only available option on older versions is the platform-level Manage Metadata Ingestion privilege, which grants full control.
- On self-hosted deployments, the feature flag
VIEW_INGESTION_SOURCE_PRIVILEGES_ENABLEDdefaults tofalseand must be explicitly set totrueto activate granular ingestion permissions. - On DataHub Cloud (managed), the feature may be enabled by your DataHub account team. Contact DataHub Support if the Ingestion Source resource type does not appear as an option when creating a Metadata Policy.
- The platform-level Manage Metadata Ingestion privilege overrides resource-specific policies. Do not assign this platform privilege to users who should have view-only access.
- Policies apply at the Ingestion Source entity level, meaning you can optionally scope them to specific ingestion sources rather than all sources.
Related Documentation
- UI-Based Ingestion — DataHub Docs
- Policies & Access Control — DataHub Docs
- DataHub Cloud Release Notes — v0.3.12
Tags: ingestion, view-only, permissions, metadata-policy, access-control, ingestion-source, platform-policy, data-sources, privilege, onboarding