add new CREATE and UPDATE privileges for USERS_AND_GROUPS (#11364)

Co-authored-by: Hendrik Richert <hendrik.richert@swisscom.com>
2025-11-02 11:49:23 +00:00 · 2024-10-04 19:54:41 +02:00 · 2024-10-04 19:54:41 +02:00 · 18562000f8
commit 18562000f8
parent 04349cb9cd
1 changed files with 22 additions and 4 deletions
--- a/metadata-utils/src/main/java/com/linkedin/metadata/authorization/PoliciesConfig.java
+++ b/metadata-utils/src/main/java/com/linkedin/metadata/authorization/PoliciesConfig.java
@ -59,6 +59,18 @@ public class PoliciesConfig {
          "Manage Users & Groups",
          "Create, remove, and update users and groups on DataHub.");

+  static final Privilege CREATE_USERS_AND_GROUPS_PRIVILEGE =
+      Privilege.of(
+          "CREATE_USERS_AND_GROUPS",
+          "Create Users & Groups",
+          "Create users and groups on DataHub.");
+
+  static final Privilege UPDATE_USERS_AND_GROUPS_PRIVILEGE =
+      Privilege.of(
+          "UPDATE_USERS_AND_GROUPS",
+          "Update Users & Groups",
+          "Update users and groups on DataHub.");
+
  private static final Privilege VIEW_ANALYTICS_PRIVILEGE =
      Privilege.of("VIEW_ANALYTICS", "View Analytics", "View the DataHub analytics dashboard.");

@ -177,6 +189,8 @@ public class PoliciesConfig {
      ImmutableList.of(
          MANAGE_POLICIES_PRIVILEGE,
          MANAGE_USERS_AND_GROUPS_PRIVILEGE,
+          CREATE_USERS_AND_GROUPS_PRIVILEGE,
+          UPDATE_USERS_AND_GROUPS_PRIVILEGE,
          VIEW_ANALYTICS_PRIVILEGE,
          GET_ANALYTICS_PRIVILEGE,
          MANAGE_DOMAINS_PRIVILEGE,
@ -926,13 +940,15 @@ public class PoliciesConfig {
                  ImmutableMap.<ApiOperation, Disjunctive<Conjunctive<Privilege>>>builder()
                      .put(
                          ApiOperation.CREATE,
-                          Disjunctive.disjoint(MANAGE_USERS_AND_GROUPS_PRIVILEGE))
+                          Disjunctive.disjoint(
+                              CREATE_USERS_AND_GROUPS_PRIVILEGE, MANAGE_USERS_AND_GROUPS_PRIVILEGE))
                      .put(
                          ApiOperation.READ,
                          API_PRIVILEGE_MAP.get(ApiGroup.ENTITY).get(ApiOperation.READ))
                      .put(
                          ApiOperation.UPDATE,
-                          Disjunctive.disjoint(MANAGE_USERS_AND_GROUPS_PRIVILEGE))
+                          Disjunctive.disjoint(
+                              UPDATE_USERS_AND_GROUPS_PRIVILEGE, MANAGE_USERS_AND_GROUPS_PRIVILEGE))
                      .put(
                          ApiOperation.DELETE,
                          Disjunctive.disjoint(MANAGE_USERS_AND_GROUPS_PRIVILEGE))
@ -945,13 +961,15 @@ public class PoliciesConfig {
                  ImmutableMap.<ApiOperation, Disjunctive<Conjunctive<Privilege>>>builder()
                      .put(
                          ApiOperation.CREATE,
-                          Disjunctive.disjoint(MANAGE_USERS_AND_GROUPS_PRIVILEGE))
+                          Disjunctive.disjoint(
+                              CREATE_USERS_AND_GROUPS_PRIVILEGE, MANAGE_USERS_AND_GROUPS_PRIVILEGE))
                      .put(
                          ApiOperation.READ,
                          API_PRIVILEGE_MAP.get(ApiGroup.ENTITY).get(ApiOperation.READ))
                      .put(
                          ApiOperation.UPDATE,
-                          Disjunctive.disjoint(MANAGE_USERS_AND_GROUPS_PRIVILEGE))
+                          Disjunctive.disjoint(
+                              UPDATE_USERS_AND_GROUPS_PRIVILEGE, MANAGE_USERS_AND_GROUPS_PRIVILEGE))
                      .put(
                          ApiOperation.DELETE,
                          Disjunctive.disjoint(MANAGE_USERS_AND_GROUPS_PRIVILEGE))