Permissions in the Data Product Marketplace

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

Overview

Permissions in the Data Product Marketplace (DPM) are scoped to the following levels:

Each level uses roles to assign permissions, and these roles are hierarchical - higher roles include all permissions of the roles below them.

Only App Administrators can manage app-wide settings and reassign ownership of marketplaces or products. Marketplace- and product-level roles must be granted by someone who already holds an admin role for that specific scope.

You must understand the difference between roles and permissions in Alation:

  • Roles are bundles of permissions assigned to users or groups.

  • Permissions are the actual actions a user can take (Example, product:update or marketplace:view).

Each user can have one role per scope (app, marketplace, product). Roles at each level define what the user can do in that context.

Similarly, in Alation, licenses and roles are separate but both must be satisfied:

  • Licenses (Example, Viewer, Creator) determine what features are available to a user.

  • Roles determine what actions the user is authorized to take within the DPM app.

Example:

  • A user must have a Creator license and be assigned a Marketplace Publisher role to publish a data product.

  • A user with the Product Admin role still can’t make changes unless they also have a license that allows access to the Data Product feature.

Default Role Assignment

Action

Default Role

Create a Marketplace

Marketplace Admin

Create a Data Product

Product Admin

Use the Marketplace

Marketplace Viewer

Use the App

Viewer (minimal)

App-level Admins can take over or reassign any resource if needed.

Role Hierarchies and Permission Scope

Permissions are scoped to each object and assigned independently. A user can be a Viewer in one marketplace, Admin in another, and have no access at all to a different one.

Each level has its own role structure.

App-Level Roles and Permissions

App-level roles govern the entire DPM application.

Role

Permissions

Default

License Required

Admin

Manages roles, delete marketplaces or products manage settings

Alation Server Admins

Creator

User

Creates marketplaces and products

Everyone

Creator

Viewer

Views content (read-only access)

Everyone

Viewer

App-level permissions are as follows:

Permission

Description

dpm:manage_roles

Manages roles for any resource

dpm:delete_marketplace

Deletes any marketplace

dpm:delete_data_product

Deletes any data product

dpm:manage_settings

Sets global DPM configuration

dpm:create_marketplace

Creates a new marketplace

dpm:create_data_product

Creates a new data product

Marketplace-Level Roles and Permissions

Marketplace roles control what users can perform within a single marketplace.

../../_images/marketplace-role-hierarchy.png

The follwoing table lists the roles and permissions available at the marketplace level:

Role

Permissions

Default

License Required

Admin

Full control (update, delete,assign roles) settings

Creator of the marketplace

Creator

Maintainer

Approve or unlist products

None

Creator

Product Manager

View marketplace usage data

None

Creator

Publisher

Request product listing

None

Creator

Viewer

View and search products

None

Viewer

Marketplace-level permissions are as follows:

Permission

Description

marketplace:update

Edits marketplace metadata, standards, and settings

marketplace:delete

Deletes any marketplace

marketplace:list_product

Approves product listing

marketplace:unlist_product

Removes product from marketplace

marketplace:manage_roles

Assigns marketplace roles

marketplace:view_aggregate_stats

Views high-level marketplace usage stats

marketplace:view_events

Views detailed event logs

marketplace:request_list_product

Requests to list a product

marketplace:view

Searches and browse products in the marketplace

Data Product-Level Roles and Permissions

Product roles are assigned per product, independently of the marketplace.

Role

Permissions

Default

License Required

Admin

Full control over product spec, versions, permissions settings

Creator of the data product

Creator

Viewer

View the product outside of any marketplace

Everyone

Viewer

Product-level permissions are as follows:

Permission

Description

product:manage_roles

Assigns roles for the data product

product:update

Edits the data product YAML

product:delete

Deletes the data product

product:view_events

Views data product usage events

product:view_aggregate_stats

Views product usage statistics

product:view

Views product metadata

Note

Marketplace visibility overrides product visibility. If a product is listed, any marketplace viewer can view it even if they don’t have product-level permissions.

Take Over a Marketplace or Product

Only Data Product Marketplace App Admins can change system-wide settings like the default marketplace.

Admin can reassign ownership if needed.

To take over a marketplace or product, follow these steps:

  1. Confirm that you have the App Admin role for the Data Product Marketplace.

  2. Identify the marketplaceId or productId to be reassigned.

  3. Use the appropriate API endpoint to update permissions:

    • /integration/data-products/v1/marketplace/{marketplace_id}/

    • /integration/data-products/v1/data-product/{product_id}/

Refer to the specification for the exact API to use.

  1. Send a PUT request to assign a new Admin role to another user or group.

  2. Optionally, remove the current admin from the resource.