Document Hub Permissions¶
Alation Cloud Service Applies to Alation Cloud Service instances of Alation
Customer Managed Applies to customer-managed instances of Alation
In General Availability from Alation version 2024.3.2
In Public Preview from Alation version 2024.1 to 2024.3.1
Access and permissions for document hubs are determined by two factors:
User role—determines what actions you have rights to perform in general
Permissions for individual documents and folders—determines whether you have permission to perform actions on that specific object
To perform a given action, you must have a user role with rights to perform that action and you must have permission to perform that action on the specific object in question.
User Role¶
Your user role determines what actions you have rights to perform in general. The table below explains which roles can perform which actions.
Important
In addition to having the required user role, you must also have permissions to each specific folder or document.
For example, a Steward has the ability to edit documents, but they must also have edit permissions on the document itself and on the document’s parent folder to be able to edit it.
Action |
Viewer and Explorer |
Steward, Composer, and Source Admin |
Catalog Admin and Server Admin |
|---|---|---|---|
View document hubs, folders, and documents |
|
|
|
Create, edit, and delete documents |
|
|
|
Modify document permissions |
|
|
|
Add and remove documents from folders |
|
|
|
Edit and delete folders, upload data dictionaries for folders |
|
|
|
Modify folder permissions |
|
|
|
Create folders |
|
|
|
Create, edit, publish, and unpublish document hubs |
|
|
|
Permissions for Individual Documents and Folders¶
The permission settings on individual documents and folders determine whether you can access a particular document or folder within a document hub. By default, everyone can access documents and folders. Document hubs themselves are always visible to all users of the catalog, as long as someone has published them.
Permission Types¶
Documents and folders have two permission types:
View permission allows you to:
See the document or folder anywhere it appears in Alation.
Edit permission allows you to:
Edit title, description, trust flags (2025.1.1 and later), and custom fields. See Custom Field Permissions below for more information.
Modify permissions for the document or folder.
Delete the document or folder.
Add and remove documents from a folder.
Upload the data dictionary for a folder.
Documents can have their own permissions that override those of their parent folder. If a user has edit access to the folder but not to a specific document within it, that document will not be updated during a data dictionary upload. Document-level permissions take precedence over folder-level permissions during the data dictionary upload.
To perform an action, you must have the required permissions and the required user role. For example, you may have edit permission to a folder, but if you only have the Viewer role, you still won’t be able to edit the folder.
Inherited Permissions¶
Folder Permission Inheritance¶
Folders don’t inherit permissions from their parent folders. You must set permissions on each folder individually.
Document Permission Inheritance¶
Documents inherit permissions from their immediate parent folder by default. You can control access to a folder and all its immediate child documents by setting permissions on the folder.
You can also set permissions on each document individually. Document permissions override folder permissions. This means you could have a folder that’s private, but one of its documents could be public. In this situation, the document would be accessible, even though the folder itself isn’t. Users could access the public document through search, direct links to the document, or higher up folders or the Document Hub page with the Document table set to view all children.
In releases 2024.1 to 2024.3.1, if a document belongs to more than one folder, and the document is set to inherit permissions from its parent folders, the document will use the permissions that are more restrictive for the user who’s attempting to access it. For example, let’s say a document belongs to both Folder A and Folder B, and you’ve set the document to inherit permissions. You grant a user edit permissions to Folder A and view permissions to Folder B. The user will only have view permissions to the document.
Custom Field Permissions¶
Permissions for custom fields are separate from permissions for documents and folders. Granting a user view or edit permissions to a document doesn’t necessarily mean they have view or edit permissions on a custom field that’s associated with the document template. The user must have view or edit permissions for both the document and the custom field in order to view or edit the custom field’s value. See Add Permissions to a Custom Field for more information on how to add permissions to a custom field.
For documents and folders, permissions for trust flags are the same as the permissions for the document or folder. If a user has view or edit permissions on a document, they can also view or edit the trust flags for that document. Trust flags are available for documents and folders starting with release 2025.1.1.
Permanent Permissions¶
Catalog Admins and Server Admins always have both view and edit permissions for all folders and documents.
The creator of a folder or document is its owner and always has both view and edit permissions to it.
Note
The access settings dialog may not stop you from removing access from Catalog Admins, Server Admins, or the object’s creator. Even though it may appear that you’ve removed them, their access doesn’t change. Next time you open the access settings dialog, they will still show as having access.