CONFIG_ENTITY_PERMISSIONS
CONFIG_ENTITY_PERMISSIONS is a configuration package that is used to configure entity permissions, such as adding Snowflake user roles to specific entity types.
See also:
Usage
Open the configuration package from Designer package list.
Click Export package in the Actions tab.
Click Download.
Edit JSON file.
Import edited JSON back to Designer with Import Package.
After a successful import, changes to the configuration package have been applied to Designer only. It is recommended to deploy the same changes to Runtime environments as well.
Contents
Entity permission configuration
Entity permission configurations are managed inside the JSON array block named, entityPermissions.
Key | Value type | Example | Description |
---|---|---|---|
permission | String | SELECT | The name of the permission. |
description | String | Select permission | The description of the permission. |
You can add new entity permission or update the contents of existing entity permission
Example: Entity Permission Configuration
"entityPermissions": [
. . .
{
"permission": "SELECT",
"description": "Select permission"
}
. . .
]
If existing entity permission needs to be deleted, simply remove it from the set of values before importing the configuration package.
Grantee configuration
Grantee configurations are managed inside the JSON array block named, grantees.
Key | Value type | Example | Description |
---|---|---|---|
granteeId | Integer | 2 | Unique identifier of the grantee. |
granteeName | String | READ_ONLY | The name of the grantee. |
superGranteeId | Integer | null | Optional. The parent grantee. |
granteeType | String | ROLE | The type of the grantee. |
You can add new grantee or update the contents of an existing grantee.
It is also possible to refer to predefined environment variables or environment variables defined in a config package CONFIG_ENVIRONMENT_VARIABLES with ${variable}-syntax in the grantee name field.
Example: Grantee Configuration
"grantees": [
. . .
{
"granteeId": 2,
"granteeName": "READ_ONLY",
"superGranteeId": null
},
{
"granteeId": 3,
"granteeName": "${EXEC_ROLE}",
"superGranteeId": null
}
. . .
]
If an existing grantee needs to be deleted, simply remove it from the set of values before importing the configuration package.
Grantee configuration
Grantee configurations are managed inside the JSON array block named, grantees.
Key | Value type | Example | Description |
---|---|---|---|
granteeId | Integer | 2 | Unique identifier of the grantee. |
granteeName | String | READ_ONLY | The name of the grantee. |
superGranteeId | Integer | null | Optional. The parent grantee. |
granteeType | String | ROLE | The type of the grantee. |
You can add new grantee or update the contents of an existing grantee.
It is also possible to refer to predefined environment variables or environment variables defined in a config package CONFIG_ENVIRONMENT_VARIABLES with ${variable}-syntax in the grantee name field.
Example: Grantee Type Configuration
"granteeTypes": [
. . .
{
"granteeType": "USER",
"description": "For granting permissions for users"
},
{
"granteeType": "ROLE",
"description": "For granting permissions for roles"
},
{
"granteeType": "SHARE",
"description": "For granting permissions for shares"
}
. . .
]
If an existing grantee type needs to be deleted, remove or alter also the grantees currently stated currently to be in such granteeType.
Please notice that grantee types for Google BigQuery are case sensitive and the default grantee type USER will be lowercase as required (Google BigQuery user list)
Default grant configuration
Default grant configurations are managed inside the JSON array block named, defaultGrants.
Key | Value type | Example | Description |
---|---|---|---|
defaultGrantId | Integer | 1 | Unique identifier of the default grant. |
entityType | String | GENERIC | The name of the entity type. |
permission | String | SELECT | The name of the entity permission. For more information, refer to the Entity Permission Configuration section above. |
granteeId | Integer | 2 | The identifier of the grantee. For more information, refer to the Grantee Configuration section above. |
withGrantOption | Boolean | false | Whether the grant option is used or not. |
You can add new default grant or update the contents of an existing default grant.
Example: Default Grant Configuration
"defaultGrants": [
. . .
{
"entityType": "GENERIC",
"permission": "SELECT",
"granteeId": 2,
"withGrantOption": false,
"defaultGrantId": 1
},
. . .
]
If an existing default grant needs to be deleted, simply remove it from the set of values before importing the configuration package.
Notes
Variables have to be referred in grantee names with ${variable_name} which differs from the standard notation <variable_name>.
Examples
Using the environment_name variable
Agile Data Engine provides predefined variables that can be used with CONFIG_ENTITY_PERMISSIONS.
In this example, environment_name is used as part of grantee name to use environment specific roles:
...
"grantees": [
... ,
{
"granteeId": 1,
"granteeName": "${environment_name}_ANALYST",
"granteeType": "ROLE"
},
{
"granteeId": 2,
"granteeName": "${environment_name}_DEVELOPER",
"granteeType": "ROLE"
},
...
]
...
Note that any environment variable used in grantee name value is substituted and transformed to uppercase.
Any '-' and '.' are replaced with '_' (except for BigQuery).
For example:
Environment name:
Runtime.1_for-test
Grantee name:
${environment_name}-BI-Developer
Transformed result:
RUNTIME_1_FOR_TEST_BI_Developer.
(for BigQuery > RUNTIME.1_FOR-TEST-BI-Developer)