Document Hub Permissions¶
Alation Cloud Service Applies to Alation Cloud Service instances of Alation
Customer Managed Applies to customer-managed instances of Alation
In General Availability from Alation version 2024.3.2
In Public Preview from Alation version 2024.1 to 2024.3.1
Access and permissions for document hubs are determined by two factors:
User role—determines what actions you have rights to perform in general
Permissions for individual documents and folders—determines whether you have permission to perform actions on that specific object
To perform a given action, you must have a user role with rights to perform that action and you must have permission to perform that action on the specific object in question.
User Role¶
Your user role determines what actions you have rights to perform in general. In addition to having the required user role, you must also have permissions to each specific folder or document.
The table below explains which roles can perform which actions.
Action |
Viewer and Explorer |
Steward, Composer, and Source Admin |
Catalog Admin and Server Admin |
|---|---|---|---|
View document hubs, folders, and documents |
|
|
|
Create, edit, and delete documents |
|
|
|
Modify document permissions |
|
|
|
Add and remove documents from folders |
|
|
|
Edit and delete folders |
|
|
|
Modify folder permissions |
|
|
|
Create folders |
|
|
|
Create, edit, publish, and unpublish document hubs |
|
|
|
Permissions for Individual Documents and Folders¶
The permission settings on individual documents and folders determine whether you can access a particular document or folder within a document hub. By default, documents and folders are accessible to everyone. Document hubs themselves are always visible to all users of the catalog, as long as they are published.
Permission Types¶
Documents and folders have two permission types:
View permission allows you to:
See the document or folder anywhere it appears in Alation.
Edit permission allows you to:
Edit title, description, and custom fields.
Modify permissions for the document or folder.
Delete the document or folder.
Add and remove documents from a folder.
In addition to having the required permissions, you must also have the required user role to perform an action. For example, you may be given edit permission to a folder, but if you only have the Viewer role, you still won’t be able to edit the folder.
Inherited Permissions¶
Documents inherit permissions from their parent folder by default. You can control access to a folder and all its documents by setting permissions on the folder. You can also set permissions on each document individually. Document permissions override folder permissions.
In releases 2024.1 to 2024.3.1, if a document belongs to more than one folder, and the document is set to inherit permissions from its parent folders, the document will use the permissions that are more restrictive for the user who’s attempting to access it. For example, let’s say a document belongs to both Folder A and Folder B, and the document is set to inherit permissions. A user is granted edit permissions to Folder A and view permissions to Folder B. The user will only have view permissions to the document.
Custom Field Permissions¶
Permissions for custom fields are separate from permissions for documents and folders. Granting a user edit permissions to a document doesn’t necessarily mean they have edit permissions on a custom field that’s associated with the document template. The user must have edit permissions for both the document and the custom field in order to edit the custom field’s value. Similar logic applies to view permissions.
Permanent Permissions¶
Catalog Admins and Server Admins always have both view and edit permissions for all folders and documents.
The creator of a folder or document is considered its owner and always has both view and edit permissions to it.
Note
The access settings dialog may not stop you from removing access from Catalog Admins, Server Admins, or the object’s creator. However, even though they appear to be removed, their access remains unchanged. Next time you open the access settings dialog, they will still be listed as having access.