Roles
DataHub provides the ability to use Roles to manage permissions.
Roles Setup, Prerequisites, and Permissions
The out-of-the-box Roles represent the most common types of DataHub users. Currently, the supported Roles are Admin, Editor and Reader.
| Role Name | Description | 
|---|---|
| Admin | Can do everything on the platform. | 
| Editor | Can read and edit all metadata. Cannot take administrative actions. | 
| Reader | Can read all metadata. Cannot edit anything by default, or take administrative actions. | 
Using Roles
Viewing Roles
You can view the list of existing Roles under Settings > Permissions > Roles. You can click into a Role to see details about it, like which users have that Role, and which Policies correspond to that Role.

Assigning Roles
Roles can be assigned in two different ways.
Assigning a New Role to a Single User
If you go to Settings > Users & Groups > Users, you will be able to view your full list of users, as well as which Role they are currently assigned to, including if they don't have a Role.

You can simply assign a new Role to a user by clicking on the drop-down that appears on their row and selecting the desired Role.

Batch Assigning a Role
When viewing the full list of roles at Settings > Permissions > Roles, you will notice that each role has an Add Users button next to it. Clicking this button will
lead you to a search box where you can search through your users, and select which users you would like to assign this role to.

How do Roles interact with Policies?
Roles actually use Policies under-the-hood, and come prepackaged with corresponding policies to control what a Role can do, which you can view in the Policies tab. Note that these Role-specific policies cannot be changed. You can find the full list of policies corresponding to each Role at the bottom of this file.
If you would like to have finer control over what a user on your DataHub instance can do, the Roles system interfaces cleanly with the Policies system. For example, if you would like to give a user a Reader role, but also allow them to edit metadata for certain domains, you can add a policy that will allow them to do. Note that adding a policy like this will only add to what a user can do in DataHub.
Role Privileges
Self-Hosted DataHub and Managed DataHub
These privileges are common to both Self-Hosted DataHub and Managed DataHub.
Platform Privileges
| Privilege | Admin | Editor | Reader | 
|---|---|---|---|
| Generate Personal Access Tokens | ✔️ | ✔️ | ❌ | 
| Manage Domains | ✔️ | ✔️ | ❌ | 
| Manage Glossaries | ✔️ | ✔️ | ❌ | 
| Manage Tags | ✔️ | ✔️ | ❌ | 
| Manage Policies | ✔️ | ❌ | ❌ | 
| Manage Ingestion | ✔️ | ❌ | ❌ | 
| Manage Secrets | ✔️ | ❌ | ❌ | 
| Manage Users and Groups | ✔️ | ❌ | ❌ | 
| Manage Access Tokens | ✔️ | ❌ | ❌ | 
| Manage User Credentials | ✔️ | ❌ | ❌ | 
| Manage Public Views | ✔️ | ❌ | ❌ | 
| View Analytics | ✔️ | ❌ | ❌ | 
Metadata Privileges
| Privilege | Admin | Editor | Reader | 
|---|---|---|---|
| View Entity Page | ✔️ | ✔️ | ✔️ | 
| View Dataset Usage | ✔️ | ✔️ | ✔️ | 
| View Dataset Profile | ✔️ | ✔️ | ✔️ | 
| Edit Entity | ✔️ | ✔️ | ❌ | 
| Edit Entity Tags | ✔️ | ✔️ | ❌ | 
| Edit Entity Glossary Terms | ✔️ | ✔️ | ❌ | 
| Edit Entity Owners | ✔️ | ✔️ | ❌ | 
| Edit Entity Docs | ✔️ | ✔️ | ❌ | 
| Edit Entity Doc Links | ✔️ | ✔️ | ❌ | 
| Edit Entity Status | ✔️ | ✔️ | ❌ | 
| Edit Entity Assertions | ✔️ | ✔️ | ❌ | 
| Manage Entity Tags | ✔️ | ✔️ | ❌ | 
| Manage Entity Glossary Terms | ✔️ | ✔️ | ❌ | 
| Edit Dataset Column Tags | ✔️ | ✔️ | ❌ | 
| Edit Dataset Column Glossary Terms | ✔️ | ✔️ | ❌ | 
| Edit Dataset Column Descriptions | ✔️ | ✔️ | ❌ | 
| Manage Dataset Column Tags | ✔️ | ✔️ | ❌ | 
| Manage Dataset Column Glossary Terms | ✔️ | ✔️ | ❌ | 
| Edit Tag Color | ✔️ | ✔️ | ❌ | 
| Edit User Profile | ✔️ | ✔️ | ❌ | 
| Edit Contact Info | ✔️ | ✔️ | ❌ | 
Managed DataHub
These privileges are only relevant to Managed DataHub.
Platform Privileges
| Privilege | Admin | Editor | Reader | 
|---|---|---|---|
| Create Constraints | ✔️ | ✔️ | ❌ | 
| View Metadata Proposals | ✔️ | ✔️ | ❌ | 
| Manage Tests | ✔️ | ❌ | ❌ | 
| Manage Global Settings | ✔️ | ❌ | ❌ | 
Metadata Privileges
| Privilege | Admin | Editor | Reader | 
|---|---|---|---|
| Propose Entity Tags | ✔️ | ✔️ | ✔️ | 
| Propose Entity Glossary Terms | ✔️ | ✔️ | ✔️ | 
| Propose Dataset Column Tags | ✔️ | ✔️ | ✔️ | 
| Propose Dataset Column Glossary Terms | ✔️ | ✔️ | ✔️ | 
| Edit Entity Operations | ✔️ | ✔️ | ❌ | 
Additional Resources
GraphQL
FAQ and Troubleshooting
What updates are planned for Roles?
In the future, the DataHub team is looking into adding the following features to Roles.
- Defining a role mapping from OIDC identity providers to DataHub that will grant users a DataHub role based on their IdP role
- Allowing Admins to set a default role on DataHub so all users are assigned a role
- Building custom roles