CONFIG_ENTITY_PERMISSIONS
CONFIG_ENTITY_PERMISSIONS is a configuration package that is used to configure entity permissions, such as adding Snowflake user roles to specific entity types.
See also:
Usage
Open the configuration package from Designer package list.
Click Export package in the Actions tab.
Click Download.
Edit JSON file.
Import edited JSON back to Designer with Import Package.
After a successful import, changes to the configuration package have been applied to Designer only. It is recommended to deploy the same changes to Runtime environments as well.
Contents
Entity permission configuration
Entity permission configurations are managed inside the JSON array block named, entityPermissions.
Key | Value type | Example | Description |
|---|---|---|---|
permission | String | SELECT | The name of the permission. |
description | String | Select permission | The description of the permission. |
You can add new entity permission or update the contents of existing entity permission
Example: Entity Permission Configuration
"entityPermissions": [
. . .
{
"permission": "SELECT",
"description": "Select permission"
}
. . .
]If existing entity permission needs to be deleted, simply remove it from the set of values before importing the configuration package.
Grantee configuration
Grantee configurations are managed inside the JSON array block named, grantees.
Key | Value type | Example | Description |
|---|---|---|---|
granteeId | Integer | 2 | Unique identifier of the grantee. |
granteeName | String | READ_ONLY | The name of the grantee. |
superGranteeId | Integer | null | Optional. The parent grantee. |
granteeType | String | ROLE | The type of the grantee. |
You can add new grantee or update the contents of an existing grantee.
It is also possible to refer to predefined environment variables or environment variables defined in a config package CONFIG_ENVIRONMENT_VARIABLES with ${variable}-syntax in the grantee name field.
Example: Grantee Configuration
"grantees": [
. . .
{
"granteeId": 2,
"granteeName": "READ_ONLY",
"superGranteeId": null
},
{
"granteeId": 3,
"granteeName": "${EXEC_ROLE}",
"superGranteeId": null
}
. . .
]If an existing grantee needs to be deleted, simply remove it from the set of values before importing the configuration package.
Grantee type configuration
Grantee type configurations are managed inside the JSON array block named, granteeTypes.
Key | Value type | Example | Description |
|---|---|---|---|
granteeType | String | ROLE | The type of the grantee. |
description | String | For granting permissions for roles | Optional. Longer description about the grantee type. |
You can add new granteeType or update the contents of an existing granteeType.
It is also possible to refer to predefined environment variables or environment variables defined in a config package CONFIG_ENVIRONMENT_VARIABLES with ${variable}-syntax in the grantee name field.
Example: Grantee Type Configuration
"granteeTypes": [
. . .
{
"granteeType": "USER",
"description": "For granting permissions for users"
},
{
"granteeType": "ROLE",
"description": "For granting permissions for roles"
},
{
"granteeType": "SHARE",
"description": "For granting permissions for shares"
}
. . .
]If an existing grantee type needs to be deleted, remove or alter also the grantees currently stated currently to be in such granteeType.
Please notice that grantee types for Google BigQuery are case sensitive and the default grantee type USER will be lowercase as required (Google BigQuery user list)
Default grant configuration
Default grant configurations are managed inside the JSON array block named, defaultGrants.
Key | Value type | Example | Description |
|---|---|---|---|
defaultGrantId | Integer | 1 | Unique identifier of the default grant. |
entityType | String | GENERIC | The name of the entity type. |
permission | String | SELECT | The name of the entity permission. For more information, refer to the Entity Permission Configuration section above. |
granteeId | Integer | 2 | The identifier of the grantee. For more information, refer to the Grantee Configuration section above. |
withGrantOption | Boolean | false | Whether the grant option is used or not. |
You can add new default grant or update the contents of an existing default grant.
Example: Default Grant Configuration
"defaultGrants": [
. . .
{
"entityType": "GENERIC",
"permission": "SELECT",
"granteeId": 2,
"withGrantOption": false,
"defaultGrantId": 1
},
. . .
]If an existing default grant needs to be deleted, simply remove it from the set of values before importing the configuration package.
Notes
Variables have to be referred in grantee names with ${variable_name} which differs from the standard notation <variable_name>.
Examples
Using the environment_name variable
Agile Data Engine provides predefined variables that can be used with CONFIG_ENTITY_PERMISSIONS.
In this example, environment_name is used as part of grantee name to use environment specific roles:
...
"grantees": [
... ,
{
"granteeId": 1,
"granteeName": "${environment_name}_ANALYST",
"granteeType": "ROLE"
},
{
"granteeId": 2,
"granteeName": "${environment_name}_DEVELOPER",
"granteeType": "ROLE"
},
...
]
...Note that any environment variable used in grantee name value is substituted and transformed to uppercase.
Any '-' and '.' are replaced with '_' (except for BigQuery).
For example:
Environment name:
Runtime.1_for-test
Grantee name:
${environment_name}-BI-Developer
Transformed result:
RUNTIME_1_FOR_TEST_BI_Developer.
(for BigQuery > RUNTIME.1_FOR-TEST-BI-Developer)
Row Level Policies configuration
Row Level Policies configurations are managed inside the JSON array block named, rowLevelPolicies.
Key | Value type | Example | Description |
|---|---|---|---|
rowLevelPolicyId | String | 4ab86cae-614c-47b7-f770e6e0bda4 | Unique identifier of the row level policy. |
label | String | access based on sales unit | The friendly name of the policy in the ADE user interface. |
preDefinedPolicyFunctionName | String | security.validateAccessPerSalesUnit | The need is depending on the DBMS, yet all except Google BigQuery require this. |
nameSuffix | String | allowed_sales_unit | Google BigQuery and Azure DBMSes generate the policy name with logic <schema>_<entity_name>_<nameSuffix> |
requiresDefinedGrantees | Boolean | false | This indicates whether policy expects ADE developer to define the roles being affected by the policy. Must be true for policies in Amazon Redshift and Google BigQuery, otherwise false. |
deleted | Boolean | false | This indicates whether policy has been removed (true) from system or not (false). |
ruleExpression | String | sales_unit = ‘ACCESSORIES’ | This indicates the actual row access policy rule for Google BigQuery. |
description | String | Allow access to only specific sales units | Optional. This is longer description about the row access policy. |
Example: Row Level Policy Configuration
"rowLevelPolicies": [
. . .
{
"rowLevelPolicyId" : "4ab86cae-614d-47b7-8bb3-f770e6e0bda4",
"label" : "Sales info only if allowed",
"preDefinedPolicyFunctionName" : "manager_test.limited_sales_regions",
"nameSuffix" : "allowed_role",
"requiresDefinedGrantees" : true,
"deleted" : false,
"ruleExpression" : "sales_region = 'APAC'",
"description" : "Information only to allowed roles"
}
. . .
]If an existing row level policy needs to be deleted, remove or alter also the row level policy attributes currently stated to be in such row level policy. Keep in mind that the modifications to the row level policies do take effect only after the packages where the affected entities are stored are deployed.
Row Level Policy Attributes configuration
Row Level Policy Attributes configurations are managed inside the JSON array block named, rowLevelPolicyAttributes.
Key | Value type | Example | Description |
|---|---|---|---|
rowLevelPolicyAttributeId | String | 9b855c37-ecee-4e97-93a5-ex0e7705d73a | Unique identifier of the row level policy attribute. |
rowLevelPolicyId | String | 4ab86cae-614c-47b7-f770e6e0bda4 | Unique identifier of the referred row level policy. |
attributeName | String | sales_unit | The exact wanted name of the attribute in the policy. |
position | Integer | 1 | The position of the attribute in the policy function/procedure. |
dataType | String | VARCHAR | The wanted logical datatype of the attribute. |
dataPrecision | Integer | 6 | Optional. Defines the datatype precision. Recommended to be defined for decimal the row level policy attributes in Amazon Redshift. |
dataScale | Integer | 2 | Optional. Defines the datatype scale. Recommended to be defined for decimal row level policy attributes in Amazon Redshift. |
dataLength | Integer | 200 | Optional. Defines the datatype length. Recommended to be defined for varchar row level policy attributes in Amazon Redshift. |
Example: Row Level Policy Attribute Configuration
"rowLevelPolicyAttributes": [
. . .
{
"rowLevelPolicyAttributeId" : "9b855c37-ecee-4e97-93a5-ec0e7705d73a",
"rowLevelPolicyId" : "29862c45-d36b-4da4-bb07-461892dca8f6",
"attributeName" : "sales_unit",
"position" : 1,
"datatype" : "VARCHAR"
}
. . .
]If an existing row level policy attribute needs to be deleted, keep in mind that the modifications to the row level policies do take effect only after the packages where the affected entities are stored are deployed.
Good to know about applying the Row Access Policies
The entity which the policy is wanted to be added must contain the configured policy attributes before the policy can be attached to it.
Attribute names must match
Attribute datatype must match
if Datalength/DataScale/DataPrecision have been defined, they must match - Amazon Redshift has strict matching with the datatypes in policies being attached, so it is recommended to utilise these.