Managing administrator access
Administration is performed by the grouping of users into user groups and granting administration permissions to those groups; refer to Managing group access for an introduction to user groups including creation of groups and adding users to groups.
User administration
User groups can have the following user administration permissions:
| Permission type | Access granted |
|---|---|
GRANT |
Users in that group can use group-permission-grant and group-permission-revoke. Refer to Granting user administration permissions to groups |
MODIFY |
Users in that group can use group-create, group-delete, group-add-user, group-remove-user and group-all-remove-user. Refer to Group Management |
VIEW |
Users in that group can use group-list and group-permission-list. Refer to Listing user administration permissions |
Note that users with GRANT and/or MODIFY automatically get VIEW access as well.
Granting user administration permissions to groups
Use the following command to grant access to a group:
geospock group-permission-grant --group-name <group_name> --grant-type <grant-type>
Say, for example, that you want to give the GRANT permission to group userAdminGroup, you would use the following command:
geospock group-permission-grant --group-name userAdminGroup --grant-type GRANT
{
"entityId": "userAdminGroup",
}
The optional arguments --subject-group-name <group-name> and --all-subject-groups have default values which are
currently the only values supported.
For more information about this command, use the GeoSpock CLI's help command.
This command requires user administration GRANT permissions for the user running the command.
Listing user administration permissions
Use the following command to list all user administration permissions for a group, a user or for all groups/users:
geospock group-permission-list --group-name <group-name> | --username <username>
Either --group-name or --username should be used, but not both. If neither is provided, all user administration
permissions are returned.
Say, for example, that you want to view the user administration rights of user user.admin@example.com, you would use
the following command:
geospock group-permission-list --username "user.admin@example.com"
{
"subjectGroupName": "*",
"permissions": [
"grantType": "MODIFY",
"entitiesWithAccess": [
"userAdmins"
]
]
}
This shows that user user.admin@example.com has MODIFY access through being a member of group userAdmins.
Dataset administration
Schema-wide permissions
User groups can have the following schema-wide dataset administration permissions:
| Permission type | Dataset specified | Access granted |
|---|---|---|
GRANT |
* |
Users in that group can use dataset-permission-grant and dataset-permission-revoke for the default schema or any dataset in the default schema. Refer to Granting dataset administration access to groups |
MODIFY |
* |
Users in that group can use dataset-create, dataset-delete and dataset-add-data. Refer to Ingesting source input data |
VIEW |
* |
Users in that group can use dataset-list and dataset-permission-list. Refer to Granting dataset administration access to groups |
READ |
* |
Users in that group can access all datasets in the default schema via the Presto CLI or a BI Tool integration. |
Here the * dataset refers to all datasets in the default schema. This is specified by using the --all-datasets
flag when granting permissions.
Note that users with GRANT and/or MODIFY automatically get VIEW access as well.
Dataset-level permissions
User groups can have the following dataset-level administration permissions:
| Permission | Dataset specified | Access granted |
|---|---|---|
READ |
<dataset name> |
Users in that group can access the specified dataset in the default schema via the Presto CLI or a BI Tool integration. |
Currently, dataset-level MODIFY, GRANT and VIEW access is not supported.
Granting dataset permissions to groups
Use the following command to grant schema-wide access to a group:
geospock dataset-permission-grant --group-name <group_name> --grant-type <grant-type> --all-datasets TRUE
Say, for example, that you want to grant the schema-wide GRANT permission to group datasetAdminGroup, you would use
the following command:
geospock dataset-permission-grant --group-name userAdminGroup --grant-type GRANT --all-datasets TRUE
{
"entityId": "userAdminGroup",
}
To grant READ permissions to a dataset to a group, refer to Adding permissions to your ingested data
For more information about this command, use the GeoSpock CLI's help command.
This command requires user administration GRANT permissions for the user running the command.
Listing dataset permissions
The permissions for a particular dataset (both schema-wide and as dataset-level) are returned as part of a
dataset-status command; refer to Getting information about a dataset
Use the following command to list all dataset administration permissions for a group, a user or for all groups/users:
geospock dataset-permission-list --group-name <group-name> | --username <username>
Either --group-name or --username should be used, but not both. If neither is provided, all dataset administration
permissions are returned.
Say, for example, that you want to view the dataset administration rights of user dataset.admin@example.com, you would
use the following command:
geospock dataset-permission-list --username "dataset.admin@example.com"
{
"schemaName": "default",
"datasetName": "*",
"permissions": [
"grantType": "MODIFY",
"entitiesWithAccess": [
"datasetAdmins"
]
]
}
This shows that user dataset.admin@example.com has MODIFY access to all datasets in the default schema
through being a member of group datasetAdmins.