Controlling group permissions

Once you have created your user groups and added the appropriate users to those groups (see Managing user groups), it is now time to allocate permissions to those groups.

User and dataset administration

Administration tasks are divided into user administration tasks and dataset administration tasks.

  • User administration tasks consist of creating groups and adding/removing users from those groups.
  • Dataset administration tasks consist of creating datasets, and granting access to those datasets, either individually or schema-wide.

It is recommended that you create separate user groups for user administration and for dataset administration.

For more information on all of the following commands, use the GeoSpock CLI's help command.

User administration permissions

Groups can have the following user administration permissions:

Permission type Access granted
GRANT Users in the group can use group-permission-grant and group-permission-revoke. Refer to Granting user administration permissions to groups
MODIFY Users in the group can use group-create, group-delete, group-add-user, group-remove-user and group-all-remove-user. Refer to Managing user groups
VIEW Users in the group can use group-list and group-permission-list. Refer to Listing the groups and Listing user administration permissions

Note that users with GRANT and/or MODIFY automatically get VIEW access as well.

Granting user administration permissions to groups

Use the following command to grant access to a group:

$ geospock group-permission-grant --group-name <group_name> --grant-type <grant-type>

This command requires the user running the command to have user administration GRANT permissions.

Example

Say that you want to give the GRANT permission to group userAdminGroup, you would use the following command:

$ geospock group-permission-grant --group-name userAdminGroup --grant-type GRANT
{
    "entityId": "userAdminGroup",
}

The optional arguments --subject-group-name <group-name> and --all-subject-groups have default values which are currently the only values supported.

Listing user administration permissions

Use the following command to list all user administration permissions for a group, a user, or for all groups/users:

$ geospock group-permission-list --group-name <group-name> | --username <username>

Either --group-name or --username should be used, but not both. If neither is provided, all user administration permissions are returned.

This command requires the user running the command to have user administration VIEW permissions.

Example

Say that you want to view the user administration rights of user user.admin@example.com, you would use the following command:

$ geospock group-permission-list --username "user.admin@example.com"
{
    "subjectGroupName": "*",
    "permissions": [
        "grantType": "MODIFY",
        "entitiesWithAccess": [
            "userAdmins"
        ]
    ]
}

This shows that user user.admin@example.com has MODIFY access through being a member of group userAdmins.

Revoking user administration permissions from groups

Use the following command to revoke access to a group:

$ geospock group-permission-revoke --group-name <group_name> --grant-type <grant-type>

This command requires the user running the command to have user administration GRANT permissions.

Dataset administration permissions

Schema-wide permissions

Groups can have the following schema-wide dataset permissions:

Permission type Dataset specified Access granted
GRANT * Users in the group can use dataset-permission-grant and dataset-permission-revoke for the default schema or any dataset in the default schema. Refer to Granting dataset permissions to groups
MODIFY * Users in the group can use dataset-create, dataset-delete and dataset-add-data. Refer to Ingesting data
VIEW * Users in the group can use dataset-list and dataset-permission-list. Refer to Listing dataset permissions
READ * Users in the group can access all datasets in the default schema via the Presto CLI or a BI Tool integration.

Here the * dataset refers to all datasets in the default schema. This is specified by using the --all-datasets flag when granting permissions.

Note that users with GRANT and/or MODIFY automatically get VIEW access as well.

Dataset-level permissions

Additionally, you can control which specific datasets each group has access to:

Permission Dataset specified Access granted
READ <dataset name> Users in the group can access the specified dataset in the default schema via the Presto CLI or a BI Tool integration.

Currently, dataset-level MODIFY, GRANT and VIEW access is not supported.

Granting dataset permissions to groups

Use the following command to grant schema-wide access to a group:

$ geospock dataset-permission-grant --group-name <group_name> --grant-type <grant-type> --all-datasets TRUE

This command requires the user running the command to have dataset administration GRANT permissions.

Example

Say that you want to grant the schema-wide GRANT permission to group datasetAdminGroup, you would use the following command:

$ geospock dataset-permission-grant --group-name userAdminGroup --grant-type GRANT --all-datasets TRUE
{
    "entityId": "userAdminGroup",
}

To grant to a group READ permissions on a specific dataset, refer to Giving a user group permission to access a specific dataset

Listing dataset permissions

The permissions for a particular dataset (both schema-wide and at dataset-level) are returned as part of a dataset-status command; refer to Getting information about a dataset.

To list all dataset administration permissions for a group, a user, or for all groups/users, use the following command:

$ geospock dataset-permission-list --group-name <group-name> | --username <username>

Either --group-name or --username should be used, but not both. If neither is provided, all dataset administration permissions are returned.

This command requires the user running the command to have the schema-wide dataset administration VIEW permissions.

Example

Say that you want to view the dataset administration rights of user dataset.admin@example.com, you would use the following command:

$ geospock dataset-permission-list --username "dataset.admin@example.com"
{
    "schemaName": "default",
    "datasetName": "*",
    "permissions": [
        "grantType": "MODIFY",
        "entitiesWithAccess": [
            "datasetAdmins"
        ]
    ]
}

This shows that user dataset.admin@example.com has MODIFY access to all datasets in the default schema through being a member of group datasetAdmins.

Revoking dataset administration permissions from groups

Use the following command to revoke schema-wide access from a group:

$ geospock dataset-permission-revoke --group-name <group_name> --grant-type <grant-type> --all-datasets TRUE

This command requires the user running the command to have dataset administration GRANT permissions.

To revoke READ access on a specific dataset from a group, refer to Removing access to a dataset from a user group