Controlling group permissions
Once you have created your user groups and added the appropriate users to those groups (see Managing user groups), it is now time to allocate permissions to those groups.
User and dataset administration
Administration tasks are divided into user administration tasks and dataset administration tasks.
- User administration tasks consist of creating groups and adding/removing users from those groups.
- Dataset administration tasks consist of creating datasets, and granting access to those datasets, either individually or schema-wide.
It is recommended that you create separate user groups for user administration and for dataset administration.
For more information on all of the following commands, use the GeoSpock CLI's help command.
User administration permissions
Groups can have the following user administration permissions:
| Permission type | Access granted |
|---|---|
GRANT |
Users in the group can use group-permission-grant and group-permission-revoke. Refer to Granting user administration permissions to groups |
MODIFY |
Users in the group can use group-create, group-delete, group-add-user, group-remove-user and group-all-remove-user. Refer to Managing user groups |
VIEW |
Users in the group can use group-list and group-permission-list. Refer to Listing the groups and Listing user administration permissions |
Note that users with GRANT and/or MODIFY automatically get VIEW access as well.
Granting user administration permissions to groups
Use the following command to grant access to a group:
$ geospock group-permission-grant --group-name <group_name> --grant-type <grant-type>
This command requires the user running the command to have user administration GRANT permissions.
Example
Say that you want to give the GRANT permission to group userAdminGroup, you would use the
following command:
$ geospock group-permission-grant --group-name userAdminGroup --grant-type GRANT
{
"entityId": "userAdminGroup",
}
The optional arguments --subject-group-name <group-name> and --all-subject-groups have default values
which are currently the only values supported.
Listing user administration permissions
Use the following command to list all user administration permissions for a group, a user, or for all groups/users:
$ geospock group-permission-list --group-name <group-name> | --username <username>
Either --group-name or --username should be used, but not both. If neither is provided, all user administration
permissions are returned.
This command requires the user running the command to have user administration VIEW permissions.
Example
Say that you want to view the user administration rights of user user.admin@example.com, you would use
the following command:
$ geospock group-permission-list --username "user.admin@example.com"
{
"subjectGroupName": "*",
"permissions": [
"grantType": "MODIFY",
"entitiesWithAccess": [
"userAdmins"
]
]
}
This shows that user user.admin@example.com has MODIFY access through being a member of group userAdmins.
Revoking user administration permissions from groups
Use the following command to revoke access to a group:
$ geospock group-permission-revoke --group-name <group_name> --grant-type <grant-type>
This command requires the user running the command to have user administration GRANT permissions.
Dataset administration permissions
Schema-wide permissions
Groups can have the following schema-wide dataset permissions:
| Permission type | Dataset specified | Access granted |
|---|---|---|
GRANT |
* |
Users in the group can use dataset-permission-grant and dataset-permission-revoke for the default schema or any dataset in the default schema. Refer to Granting dataset permissions to groups |
MODIFY |
* |
Users in the group can use dataset-create, dataset-delete and dataset-add-data. Refer to Ingesting data |
VIEW |
* |
Users in the group can use dataset-list and dataset-permission-list. Refer to Listing dataset permissions |
READ |
* |
Users in the group can access all datasets in the default schema via the Presto CLI or a BI Tool integration. |
Here the * dataset refers to all datasets in the default schema. This is specified by using the --all-datasets
flag when granting permissions.
Note that users with GRANT and/or MODIFY automatically get VIEW access as well.
Dataset-level permissions
Additionally, you can control which specific datasets each group has access to:
| Permission | Dataset specified | Access granted |
|---|---|---|
READ |
<dataset name> |
Users in the group can access the specified dataset in the default schema via the Presto CLI or a BI Tool integration. |
Currently, dataset-level MODIFY, GRANT and VIEW access is not supported.
Granting dataset permissions to groups
Use the following command to grant schema-wide access to a group:
$ geospock dataset-permission-grant --group-name <group_name> --grant-type <grant-type> --all-datasets TRUE
This command requires the user running the command to have dataset administration GRANT permissions.
Example
Say that you want to grant the schema-wide GRANT permission to group datasetAdminGroup, you would use
the following command:
$ geospock dataset-permission-grant --group-name userAdminGroup --grant-type GRANT --all-datasets TRUE
{
"entityId": "userAdminGroup",
}
To grant to a group READ permissions on a specific dataset, refer to Giving a user group permission to access a specific dataset
Listing dataset permissions
The permissions for a particular dataset (both schema-wide and at dataset-level) are returned as part of a
dataset-status command; refer to Getting information about a dataset.
To list all dataset administration permissions for a group, a user, or for all groups/users, use the following command:
$ geospock dataset-permission-list --group-name <group-name> | --username <username>
Either --group-name or --username should be used, but not both. If neither is provided, all dataset administration
permissions are returned.
This command requires the user running the command to have the schema-wide dataset administration VIEW permissions.
Example
Say that you want to view the dataset administration rights of user dataset.admin@example.com, you would
use the following command:
$ geospock dataset-permission-list --username "dataset.admin@example.com"
{
"schemaName": "default",
"datasetName": "*",
"permissions": [
"grantType": "MODIFY",
"entitiesWithAccess": [
"datasetAdmins"
]
]
}
This shows that user dataset.admin@example.com has MODIFY access to all datasets in the default schema
through being a member of group datasetAdmins.
Revoking dataset administration permissions from groups
Use the following command to revoke schema-wide access from a group:
$ geospock dataset-permission-revoke --group-name <group_name> --grant-type <grant-type> --all-datasets TRUE
This command requires the user running the command to have dataset administration GRANT permissions.
To revoke READ access on a specific dataset from a group, refer to Removing access to a dataset from a user group