feat: add new permission for managing asset summary (#14627)

Co-authored-by: Chris Collins <chriscollins3456@gmail.com>
2025-11-03 20:27:50 +00:00 · 2025-09-04 19:51:01 +05:30 · 2025-09-04 19:51:01 +05:30 · 94c56decdc
commit 94c56decdc
parent fe655cc255
8 changed files with 42 additions and 7 deletions
--- a/datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/authorization/AuthorizationUtils.java
+++ b/datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/authorization/AuthorizationUtils.java
@ -419,5 +419,17 @@ public class AuthorizationUtils {
        new EntitySpec(resourceUrn.getEntityType(), resourceUrn.toString()));
  }

+  public static boolean canManageAssetSummary(@Nonnull QueryContext context, @Nonnull Urn urn) {
+    final DisjunctivePrivilegeGroup orPrivilegeGroups =
+        new DisjunctivePrivilegeGroup(
+            ImmutableList.of(
+                ALL_PRIVILEGES_GROUP,
+                new ConjunctivePrivilegeGroup(
+                    ImmutableList.of(PoliciesConfig.MANAGE_ASSET_SUMMARY_PRIVILEGE.getType()))));
+
+    return AuthorizationUtils.isAuthorized(
+        context, urn.getEntityType(), urn.toString(), orPrivilegeGroups);
+  }
+
  private AuthorizationUtils() {}
 }
--- a/datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/entity/EntityPrivilegesResolver.java
+++ b/datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/entity/EntityPrivilegesResolver.java
@ -181,5 +181,6 @@ public class EntityPrivilegesResolver implements DataFetcher<CompletableFuture<E
    result.setCanEditOwners(OwnerUtils.isAuthorizedToUpdateOwners(context, urn));
    result.setCanEditDescription(DescriptionUtils.isAuthorizedToUpdateDescription(context, urn));
    result.setCanEditLinks(LinkUtils.isAuthorizedToUpdateLinks(context, urn));
+    result.setCanManageAssetSummary(AuthorizationUtils.canManageAssetSummary(context, urn));
  }
 }
--- a/datahub-graphql-core/src/main/resources/auth.graphql
+++ b/datahub-graphql-core/src/main/resources/auth.graphql
@ -363,6 +363,11 @@ type EntityPrivileges {
  Whether the user can view dataset operations
  """
  canViewDatasetOperations: Boolean
+
+  """
+  Whether the user can manage asset summary
+  """
+  canManageAssetSummary: Boolean
 }

 """
--- a/datahub-web-react/src/Mocks.tsx
+++ b/datahub-web-react/src/Mocks.tsx
@ -85,6 +85,7 @@ export const entityPrivileges: EntityPrivileges = {
    canViewDatasetUsage: true,
    canViewDatasetProfile: true,
    canViewDatasetOperations: true,
+    canManageAssetSummary: true,
    __typename: 'EntityPrivileges',
 };

--- a/datahub-web-react/src/app/entityV2/summary/properties/PropertiesHeader.tsx
+++ b/datahub-web-react/src/app/entityV2/summary/properties/PropertiesHeader.tsx
@ -1,11 +1,13 @@
 import React from 'react';

+import { useEntityData } from '@app/entity/shared/EntityContext';
 import PropertiesWithDividerWrapper from '@app/entityV2/summary/properties/PropertiesWithDividerWrapper';
 import AssetPropertiesProvider from '@app/entityV2/summary/properties/context/AssetPropertiesProvider';

 export default function PropertiesHeader() {
-    // TODO: use permissions
-    const editable = true;
+    const { entityData } = useEntityData();
+
+    const editable = !!entityData?.privileges?.canManageAssetSummary;

    return (
        <AssetPropertiesProvider editable={editable}>
--- a/datahub-web-react/src/graphql/fragments.graphql
+++ b/datahub-web-react/src/graphql/fragments.graphql
@ -1795,6 +1795,7 @@ fragment entityPrivileges on EntityPrivileges {
    canViewDatasetUsage
    canViewDatasetProfile
    canViewDatasetOperations
+    canManageAssetSummary
 }

 fragment businessAttribute on BusinessAttributeAssociation {
--- a/metadata-service/war/src/main/resources/boot/policies.json
+++ b/metadata-service/war/src/main/resources/boot/policies.json
@ -80,7 +80,8 @@
        "MANAGE_GLOBAL_OWNERSHIP_TYPES",
        "DELETE_ENTITY",
        "ES_EXPLAIN_QUERY_PRIVILEGE",
-        "EXECUTE_ENTITY"
+        "EXECUTE_ENTITY",
+        "MANAGE_ASSET_SUMMARY"
      ],
      "displayName": "Root User - Edit and View All Resources",
      "description": "Grants all edit and view privileges for all resources to root user.",
@ -259,7 +260,9 @@
        "DELETE_ENTITY",
        "ES_EXPLAIN_QUERY_PRIVILEGE",
        "EDIT_ENTITY_PROPERTIES",
-        "EXECUTE_ENTITY"
+        "EXECUTE_ENTITY",
+        "MANAGE_ASSET_SUMMARY"
+
      ],
      "displayName": "Admins - Metadata Policy",
      "description": "Admins have all metadata privileges.",
@ -344,7 +347,9 @@
        "MANAGE_DATA_PRODUCTS",
        "ES_EXPLAIN_QUERY_PRIVILEGE",
        "EDIT_ENTITY_PROPERTIES",
-        "VIEW_STRUCTURED_PROPERTIES_PAGE"
+        "VIEW_STRUCTURED_PROPERTIES_PAGE",
+        "MANAGE_ASSET_SUMMARY"
+
      ],
      "displayName": "Editors - Metadata Policy",
      "description": "Editors have all metadata privileges.",
@ -499,7 +504,8 @@
        "GET_COUNTS_PRIVILEGE",
        "MANAGE_DATA_PRODUCTS",
        "ES_EXPLAIN_QUERY_PRIVILEGE",
-        "EDIT_ENTITY_PROPERTIES"
+        "EDIT_ENTITY_PROPERTIES",
+        "MANAGE_ASSET_SUMMARY"
      ],
      "displayName": "Asset Owners - Metadata Policy",
      "description": "Asset Owners have all metadata privileges ONLY for assets they own.",
--- a/metadata-utils/src/main/java/com/linkedin/metadata/authorization/PoliciesConfig.java
+++ b/metadata-utils/src/main/java/com/linkedin/metadata/authorization/PoliciesConfig.java
@ -388,6 +388,12 @@ public class PoliciesConfig {
          "Create erModelRelationship",
          "The ability to add erModelRelationship on a dataset.");

+  public static final Privilege MANAGE_ASSET_SUMMARY_PRIVILEGE =
+      Privilege.of(
+          "MANAGE_ASSET_SUMMARY",
+          "Manage Asset Summary",
+          "The ability to manage the asset summary tab for an entity.");
+
  public static final List<Privilege> COMMON_ENTITY_PRIVILEGES =
      ImmutableList.of(
          VIEW_ENTITY_PAGE_PRIVILEGE,
@ -406,7 +412,8 @@ public class PoliciesConfig {
          EDIT_ENTITY_PROPERTIES_PRIVILEGE,
          EDIT_ENTITY_INCIDENTS_PRIVILEGE,
          CREATE_ENTITY_PRIVILEGE,
-          EXISTS_ENTITY_PRIVILEGE);
+          EXISTS_ENTITY_PRIVILEGE,
+          MANAGE_ASSET_SUMMARY_PRIVILEGE);

  // Dataset Privileges
  public static final Privilege EDIT_DATASET_COL_TAGS_PRIVILEGE =