About Validio RBAC
Validio Role-Based Access Control (RBAC) lets you manage users and resources in your Workspace with more granular role-based permissions to the platform. With Validio RBAC, you can organize users into different Teams and separate resources into Namespaces to ensure that each team manages and monitors their data independently.
Resources
You can categorize resources in Validio as either a Global resource or a Namespaced resource. All users can read global resources, such as catalog assets and lineage. Users can only access namespaced resources if they are assigned to teams that can access the namespace.
Global Resources | Namespaced Resources |
---|---|
Users Teams Namespaces API Keys Identity Providers Catalog Assets Lineage Connections (edges) Tags dbt Runs dbt Tests | Credentials Sources Validators Segmentations Windows Incidents Incident Groups Source Errors Channels Notification Rules |
There are two root namespaced resources: Credentials and Channels. All other resources are created by using one of these root resources, and all resources inherit the same namespace as the linked root resource.
Teams
Teams are used to organize users into groups which you can base on business units or areas of responsibility within your organization. Different teams can configure and manage their own resources separate from other teams. For example, individual teams can see their data quality without it being affected by incidents that are happening in other teams.
For more information, see Managing Teams.
Namespaces
Namespaces are used to separate resources (such as channels, credentials, sources, validators, and so on) into isolated managed groups which you can then assign to relevant teams. Teams can only access the resources that are in their assigned namespaces.
Your namespace assignment controls the data that you will see in the UI:
- Overview–By default, the Overview page summarizes everything for all namespaces that you have access to, but you can also select a specific namespace.
- Credentials–Select a namespace when creating the credential.
- Sources–Assigned to the namespace of the credential that is used to create the source.
- Source details page–Validators implicitly in the same namespace as the source parent.
- Validator details page–Segments and incidents are implicitly in the same namespace as their source parent.
- Catalog–Global, no namespace restrictions, but you will only see the sources that you have access to.
- Lineage–Global, no namespace restrictions, but you will only see the sources you have access to.
- Incidents–Namespace of the incident is the same as the source.
- Errors–Namespace of the errors is the same as the source.
- Notifications–Select a namespace when creating a channel, similar to credentials. Notification rules will use the namespace of the channel.
Note
When viewing global pages in the UI, such as Catalog and Lineage, you will see all the resources that you have permission to see and not just the permissions in the currently selected namespace.
For more information, see Managing Namespaces.
Permissions and Roles
Validio supports the following roles: Viewer, Admin, Editor. You can grant permissions to users and teams at the global or namespace level to control access to different resources in Validio.
Global permissions allow users to manage access to global resources (such as API keys, catalog assets, namespaces, tags, users, and teams) which are not tied to a specific namespace. Access to global resources follow these general rules:
- All users have Global: View access to read global resources such as Catalog assets and Lineage connections.
- Users require the Global: Admin role to create Users, Teams, and Namespaces and edit Users within Teams you’re an Admin over. (Only Namespace: Admin can edit the Users and Teams in a namespace.)
- Users require the Global: Editor role to create and edit other global resources, such Catalog assets, Lineage connections, and Identity providers.
Namespace-level permissions allow users and teams to manage their resources separately from other teams, as well as restrict access to the resources in other namespaces. Access to namespaced resources follow these general rules:
- Users require the Namespace: Viewer role to read all the resources in the namespace.
- Users require the Namespace: Editor role to edit all the resources in the namespace.
- Users require the Namespace: Admin role to edit the users and teams in the namespace.
Note
When you log into Validio for the first time using authentication tools, such as JumpCloud:
- You are automatically assigned Global: Viewer, which means that you can see which namespaces exist and see all catalog assets.
- You are automatically added to the
default
namespace, but you will require explicit access to additional namespaces.
For more information about the required roles to perform different operations on resources, see Resources and Required Roles.
User and Team Permissions
When creating a user, you assign the user a global role (Viewer, Admin, or Editor). You can then add the user into one or more teams, and the teams might have a different role when you assign them to a namespace.
- If a user is assigned to a namespace as part of one or more teams, the highest role is used.
- If a user is a member of a namespace, the membership role is used (the team permission is ignored).
Note
You can create users and assign them global-level roles that define the resources they can access. If a team is assigned to a namespace, you can override a particular user’s team role by adding that user directly to the namespace.
For more information, see Managing Users and Managing Teams.
Resources and Required Roles
The following table summarizes the roles required to perform different operations on resources.
Resource | Operations | Required Role |
---|---|---|
Users Teams Namespaces API Keys Identity Providers Catalog Assets Lineage Connections Tags | Read | Global: Viewer |
Catalog Assets Lineage Connections Tags | Create, Update, Delete | Global: Editor |
Users Teams API Keys Identity Providers | Create, Update, Delete | Global: Admin |
dbt Runs dbt Tests | Read | Global: Viewer |
dbt Runs dbt Tests | Create, Update, Delete | Namespace: Editor1 |
Namespaces | Read | Global: Viewer |
Namespaces | Create | Global: Admin |
Namespaces | Update, Delete | Global: Admin or Namespace: Admin |
App Namespaced Resources | Read | Namespace: Viewer |
App Namespaced Resources | Create, Update, Delete | Namespace: Editor |
1 Validio checks the linked dbt credential to generate the upload key.
Updated 3 months ago