Out of the box, DataHub is deployed with a set of pre-baked Policies. The set of default policies are created at deploy
time and can be found inside the `policies.json` file within `metadata-service/war/src/main/resources/boot`. This set of policies serves the
following purposes:
1. Assigns immutable super-user privileges for the root `datahub` user account (Immutable)
2. Assigns all Platform privileges for all Users by default (Editable)
The reason for #1 is to prevent people from accidentally deleting all policies and getting locked out (`datahub` super user account can be a backup)
The reason for #2 is to permit administrators to log in via OIDC or another means outside of the `datahub` root account
when they are bootstrapping with DataHub. This way, those setting up DataHub can start managing policies without friction.
Note that these privilege *can* and likely *should* be altered inside the **Policies** page of the UI.
:::note Pro-Tip
To login using the `datahub` account, simply navigate to `<your-datahub-domain>/login` and enter `datahub`, `datahub`. Note that the password can be customized for your
deployment by changing the `user.props` file within the `datahub-frontend` module. Notice that JaaS authentication must be enabled.
:::note
## Configuration
By default, the Policies feature is *enabled*. This means that the deployment will support creating, editing, removing, and
most importantly enforcing fine-grained access policies.
In some cases, these capabilities are not desirable. For example, if your company's users are already used to having free reign, you
may want to keep it that way. Or perhaps it is only your Data Platform team who actively uses DataHub, in which case Policies may be overkill.
For these scenarios, we've provided a back door to disable Policies in your deployment of DataHub. This will completely hide
the policies management UI and by default will allow all actions on the platform. It will be as though
each user has *all* privileges, both of the **Platform**&**Metadata** flavor.
To disable Policies, you can simply set the `AUTH_POLICIES_ENABLED` environment variable for the `datahub-gms` service container
to `false`. For example in your `docker/datahub-gms/docker.env`, you'd place
```
AUTH_POLICIES_ENABLED=false
```
### REST API Authorization
Policies only affect REST APIs when the environment variable `REST_API_AUTHORIZATION` is set to `true` for GMS. Some policies only apply when this setting is enabled, marked above, and other Metadata and Platform policies apply to the APIs where relevant, also specified in the table above.
| Generate Personal Access Tokens | Allow actor to generate personal access tokens for use with DataHub APIs. |
| Manage Policies | Allow actor to create and remove access control policies. Be careful - Actors with this privilege are effectively super users. |
| Manage Secrets | Allow actor to create & remove Secrets stored inside DataHub. |
| Manage Users & Groups | Allow actor to create, remove, and update users and groups on DataHub. |
| Manage All Access Tokens | Allow actor to create, list and revoke access tokens on behalf of users in DataHub. Be careful - Actors with this privilege are effectively super users that can impersonate other users. |
| Manage User Credentials | Allow actor to manage credentials for native DataHub users, including inviting new users and resetting passwords | |
| Manage Connections | Allow actor to manage connections to external DataHub platforms. |
| Dataset | View Dataset Usage | Allow actor to access dataset usage information (includes usage statistics and queries). |
| Dataset | View Dataset Profile | Allow actor to access dataset profile (snapshot statistics) |
| Dataset | Edit Dataset Column Descriptions | Allow actor to edit the column (field) descriptions associated with a dataset schema. |
| Dataset | Edit Dataset Column Tags | Allow actor to edit the column (field) tags associated with a dataset schema. |
| Dataset | Edit Dataset Column Glossary Terms | Allow actor to edit the column (field) glossary terms associated with a dataset schema. |
| Dataset | Propose Dataset Column Glossary Terms[^2] | Allow actor to propose column (field) glossary terms associated with a dataset schema. |
| Dataset | Propose Dataset Column Tags[^2] | Allow actor to propose new column (field) tags associated with a dataset schema. |
| Dataset | Manage Dataset Column Glossary Terms[^2] | Allow actor to manage column (field) glossary term proposals associated with a dataset schema. |
| Dataset | Propose Dataset Column Descriptions[^2] | Allow actor to propose new descriptions associated with a dataset schema. |
| Dataset | Manage Dataset Column Tag Proposals[^2] | Allow actor to manage column (field) tag proposals associated with a dataset schema. |
| Dataset | Edit Assertions | Allow actor to add and remove assertions from an entity. |
| Dataset | Edit Dataset Queries | Allow actor to edit the Queries for a Dataset. |
| Dataset | Create erModelRelationship | Allow actor to add erModelRelationship on a dataset. |
| Dataset | Edit Monitors[^2] | Allow actor to edit monitors for the entity. |
| Dataset | Edit SQL Assertion Monitors[^2] | Allow actor to edit custom SQL assertion monitors for the entity. Note that this gives read query access to users with through the Custom SQL assertion builder. Grant with care. |
| Dataset | Edit Data Contract[^2] | Allow actor to edit the Data Contract for an entity. |
| Dataset | Manage Data Contract Proposals[^2] | Allow actor to manage a proposal for a Data Contract |
| Tag | Edit Tag Color | Allow actor to change the color of a Tag. |
| Domain | Manage Data Products | Allow actor to create, edit, and delete Data Products within a Domain |
| GlossaryNode | Manage Direct Glossary Children | Allow actor to create and delete the direct children of this entity. |
| GlossaryNode | Manage All Glossary Children | Allow actor to create and delete everything underneath this entity. |
