Dataset Level Access (DLA)
Dataset Level Access provides the user/group with access to all the datasets registered (and also datasets created in future) under a specific domain.
The access type will be same as the access providing for the domain:
- Full access group/user -> owner access
- Read-only access group/user -> read-only access
Only a user with owner permissions on a domain can provide DLA on the domain to other users/groups.
Different scenarios considering DLA
- If user/group domain access is provided then
- Provides the regular domain access and ALSO provides the DLA (if requested) for the specific domain.
- If DLA is provided for user/group then
- Access to all datasets in the domain will be provided.
- If DLA is revoked for user/group then
- Revokes ONLY the DLA but not the regular domain access.
- Datasets access state will be reset to the state earlier to the DLA provision.
- If user/group domain access is revoked then
- Revokes the regular domain access and ALSO revokes the DLA (if provided) for the specific domain.
- Datasets access state will be reset to the state earlier to the DLA provision.
- For LF datasets, Dataset Level Access will be only given to existing datasets and no future datasets.
- Dataset Level Access will not provide access for TBAC enabled datasets.
Dataset Level Access can be provided through different ways:
DLA through Groups
User can provide DLA through Groups for the required domains like any other resources i.e. Datasets, Dashboards etc based on the user access to the specific domain. If DLA is provided for any domain in the specific group then it'll be applicable to all the members of the group like any other resource based on the group type.
UI Process
- Navigate to Groups listing page.
- Click on group options for the required group.
- Click on 'Update Resources' and select the 'Resource Type' as Domains.
- Select the required domain(s) from the Domains dropdown or proceed with the existing domains in the group.
- Above selection will auto-populate 'Domain Dataset Level Access' toggle option for each domain.
- Toggle ON against the required domain to provide Dataset Level Access.
The following image shows the provision of DLA for a specific domain through Groups:
API Process
API → groups/{group_id}/domains & PUT method
{"DomainNames": [
{"airline": {"IsDatasetLevelAccessProvided": true}},
{"movies": {"IsDatasetLevelAccessProvided": false}}
]}
DLA for user through specific domain (Resource Sharing)
User can provide DLA through Resource Sharing of a specific domain. If DLA is provided for any specific user then it'll be provided based on the selected access type.
UI Process
- Navigate to Domain details page for the specific domain.
- Click on share options for the domain.
- Click on 'Provide Access' button and select the User and the Access Type to provide.
- Toggle ON the 'Add Dataset level access' option.
- Click on the checkmark icon
The following image shows the provision of DLA for a user through the specific domain's details page:
To provide DLA to a user/group that already has access to the domain, click on the 'Provide Dataset Access' option in the Share domain panel.
To revoke DLA from a user/group without removing the domain permissions, click on the 'Revoke Dataset Access' option in the Share domain panel.
API Process
API → domains/{domain_name}/users/{user_id}/grants & POST method
{
"AccessType": "owner",
"IsDatasetLevelAccessProvided": false
}
API → domains/{domain_name}/users/{user_id}/grants & PUT method
{
"AccessType": "read-only",
"IsDatasetLevelAccessProvided": true
}
API → domains/{domain_name}/users/{user_id}/grants & PUT method
{
"AccessType": "read-only",
"IsDatasetLevelAccessProvided": false
}
API → domains/{domain_name}/users/{user_id}/grants & DELETE method
- 'Remove user' from specified domain (Authorized Users) API/UI will be same but it'll revoke the DLA if provided along with the regular domain access.
DLA for group through specific domain (Resource Sharing)
User can provide DLA through the share option of a specific domain. If DLA is provided for any specific group then it'll be applicable to all the members of the group like any other resource based on the group type.
UI Process
The UI process is similar to the process followed for a user. Select the group instead of user here.
The following image shows the provision of DLA for a group through the specific domain's details page:
API Process
API → groups/{group_id}/domains & PUT method
Regarding the groups/{group_id}/{resource} PUT
API, it'll be the same whether user performs the action from Authorized Groups or from Groups listing page.
So in order to perform any DLA group action on the domain, User need to send all the domains information in the group along with the new update for the specific domain.
{"DomainNames": [
{"airline": {"IsDatasetLevelAccessProvided": false}}, # Make changes to ONLY this specific domain
{"movies": {"IsDatasetLevelAccessProvided": false}} # Will be same as existing
]}