yujunjun/OpenMetadata
1
0
Fork 0
mirror of https://github.com/open-metadata/OpenMetadata.git synced 2025-07-31 05:04:39 +00:00
Code Issues Packages Projects Releases Wiki Activity
OpenMetadata/openmetadata-docs/content/main-concepts/metadata-standard/schemas/entity/policies/accessControl/rule.md
Sachin Chaurasiya ae5e7a3d98
doc: update rule doc to include conditions (#10845)
2023-03-31 18:36:09 +05:30

3.0 KiB
Raw Blame History

title slug
rule /main-concepts/metadata-standard/schemas/entity/policies/accesscontrol/rule

AccessControlRule

Describes an Access Control Rule for OpenMetadata Metadata Operations. All non-null user (subject) and entity (object) attributes are evaluated with logical AND.

Properties

  • name (string): Name of this Rule
  • fullyQualifiedName (fullyQualifiedEntityName): FullyQualifiedName in the form policyName.ruleName.
  • description (markdown): Description of the rule.
  • effect (string): Indicates whether the rule allows or denies access.", where effect can take on one of two values: "allow" or "deny".
  • operations (array of operation objects): List of operation names related to the resources. Use * to include all the operations.
  • resources (array of strings): Resources/objects related to this rule. Resources are typically entityTypes such as table, database, etc. It also includes non-entityType resources such as lineage. Use * to include all the resources.
  • condition (expression): Expression in SpEL used for matching of a Rule based on entity, resource, and environmental attributes.

Definitions

  • operation (string): This schema defines all possible operations on metadata of data entities. Must be one of: ['Create', 'Delete', 'ViewAll', 'ViewUsage', 'ViewTests', 'TableViewQueries', 'TableViewDataProfile', 'TableViewSampleData', 'EditAll', 'EditDescription', 'EditTags', 'EditOwner', 'EditTier', 'EditCustomFields', 'EditLineage', 'EditReviewers', 'EditTests', 'TableEditQueries', 'TableEditDataProfile', 'TableEditSampleData', 'TeamEditUsers'].

Condition

hasAnyRole: Returns true if the user (either direct or inherited from the parent teams) has one or more roles from the list.

Example:

hasAnyRole('DataSteward', 'DataEngineer')

inAnyTeam: Returns true if the user belongs under the hierarchy of any of the teams in the given team list.

Example:

inAnyTeam('marketing')

isOwner: Returns true if the user belongs under the hierarchy of any of the teams in the given team list.

Example:

isOwner()
!isOwner
noOwner() || isOwner()

matchAllTags: Returns true if the entity being accessed has all the tags given as input.

Example:

matchAllTags('PersonalData.Personal', 'Tier.Tier1', 'Business Glossary.Clothing')

matchAnyTag: Returns true if the entity being accessed has at least one of the tags given as input.

Example:

matchAnyTag('PersonalData.Personal', 'Tier.Tier1', 'Business Glossary.Clothing')

matchTeam: Returns true if the user and the resource belongs to the team hierarchy where this policy is attached. This allows restricting permissions to a resource to the members of the team hierarchy.

Example:

matchTeam()

noOwner: Returns true if the entity being accessed has no owner.

Example:

noOwner()
!noOwner
noOwner() || isOwner()

Documentation file automatically generated at 2022-07-14 10:51:34.749986.