Managing administrator access

Administration is performed by the grouping of users into user groups and granting administration permissions to those groups; refer to Managing group access for an introduction to user groups including creation of groups and adding users to groups.

User administration

User groups can have the following user administration permissions:

Permission type Access granted
GRANT Users in that group can use group-permission-grant and group-permission-revoke. Refer to Granting user administration permissions to groups
MODIFY Users in that group can use group-create, group-delete, group-add-user, group-remove-user and group-all-remove-user. Refer to Group Management
VIEW Users in that group can use group-list and group-permission-list. Refer to Listing user administration permissions

Note that users with GRANT and/or MODIFY automatically get VIEW access as well.

Granting user administration permissions to groups

Use the following command to grant access to a group:

geospock group-permission-grant --group-name <group_name> --grant-type <grant-type>

Say, for example, that you want to give the GRANT permission to group userAdminGroup, you would use the following command:

geospock group-permission-grant --group-name userAdminGroup --grant-type GRANT
{
    "entityId": "userAdminGroup",
}

The optional arguments --subject-group-name <group-name> and --all-subject-groups have default values which are currently the only values supported.

For more information about this command, use the GeoSpock CLI's help command.

This command requires user administration GRANT permissions for the user running the command.

Listing user administration permissions

Use the following command to list all user administration permissions for a group, a user or for all groups/users:

geospock group-permission-list --group-name <group-name> | --username <username>

Either --group-name or --username should be used, but not both. If neither is provided, all user administration permissions are returned.

Say, for example, that you want to view the user administration rights of user user.admin@example.com, you would use the following command:

geospock group-permission-list --username "user.admin@example.com"
{
    "subjectGroupName": "*",
    "permissions": [
        "grantType": "MODIFY",
        "entitiesWithAccess": [
            "userAdmins"
        ]
    ]
}

This shows that user user.admin@example.com has MODIFY access through being a member of group userAdmins.

Dataset administration

Schema-wide permissions

User groups can have the following schema-wide dataset administration permissions:

Permission type Dataset specified Access granted
GRANT * Users in that group can use dataset-permission-grant and dataset-permission-revoke for the default schema or any dataset in the default schema. Refer to Granting dataset administration access to groups
MODIFY * Users in that group can use dataset-create, dataset-delete and dataset-add-data. Refer to Ingesting source input data
VIEW * Users in that group can use dataset-list and dataset-permission-list. Refer to Granting dataset administration access to groups
READ * Users in that group can access all datasets in the default schema via the Presto CLI or a BI Tool integration.

Here the * dataset refers to all datasets in the default schema. This is specified by using the --all-datasets flag when granting permissions.

Note that users with GRANT and/or MODIFY automatically get VIEW access as well.

Dataset-level permissions

User groups can have the following dataset-level administration permissions:

Permission Dataset specified Access granted
READ <dataset name> Users in that group can access the specified dataset in the default schema via the Presto CLI or a BI Tool integration.

Currently, dataset-level MODIFY, GRANT and VIEW access is not supported.

Granting dataset permissions to groups

Use the following command to grant schema-wide access to a group:

geospock dataset-permission-grant --group-name <group_name> --grant-type <grant-type> --all-datasets TRUE

Say, for example, that you want to grant the schema-wide GRANT permission to group datasetAdminGroup, you would use the following command:

geospock dataset-permission-grant --group-name userAdminGroup --grant-type GRANT --all-datasets TRUE
{
    "entityId": "userAdminGroup",
}

To grant READ permissions to a dataset to a group, refer to Adding permissions to your ingested data

For more information about this command, use the GeoSpock CLI's help command.

This command requires user administration GRANT permissions for the user running the command.

Listing dataset permissions

The permissions for a particular dataset (both schema-wide and as dataset-level) are returned as part of a dataset-status command; refer to Getting information about a dataset

Use the following command to list all dataset administration permissions for a group, a user or for all groups/users:

geospock dataset-permission-list --group-name <group-name> | --username <username>

Either --group-name or --username should be used, but not both. If neither is provided, all dataset administration permissions are returned.

Say, for example, that you want to view the dataset administration rights of user dataset.admin@example.com, you would use the following command:

geospock dataset-permission-list --username "dataset.admin@example.com"
{
    "schemaName": "default",
    "datasetName": "*",
    "permissions": [
        "grantType": "MODIFY",
        "entitiesWithAccess": [
            "datasetAdmins"
        ]
    ]
}

This shows that user dataset.admin@example.com has MODIFY access to all datasets in the default schema through being a member of group datasetAdmins.