Access Control
Overview
Sifflet offers a flexible access management system that allows you to customize the level at which you control access to your resources.
Role-based access control
Sifflet relies on role-based access control to ensure that only authorized individuals can access specific resources or perform specific actions. Roles can be assigned to both users and tokens.
User roles vary based on the domain, resulting in differing permissions for resources across various domains and platform configurations. Sifflet resources are classified into two distinct types:
- Domain resources: These include items such as catalog and lineage assets, monitors, incidents, and their related dashboards. Typically, domain resources are grouped into domains to mirror a specific business area (such as Finance, Operations etc...) or team (Data Einngineering, Data Stewards etc...). For further details about Domains, you can refer to this documentation.
- System resources: These resources, not tied to any specific domain, are used for platform administration. It includes Users, Authentication Settings, Tags, Data Sources management, Domains management, and Glossary.
Every Sifflet user receives a System Role and one or more Domain Roles based on the number of domains they are associated with.
Domain "All"
In case there is no domains defined on the platform, all users will default to the "All" domain. The domain role will be enforced across all the data assets connected to the platform.
System Role
System roles define the type of access the user has to a given setting resource. Typically, these roles provide the user the right to create, edit, and delete a resource.
By default, Sifflet offers three System Roles: Admin, System Editor and System Viewer.
| System Resource | Actions | Admin | System Editor | System Viewer |
|---|---|---|---|---|
| Integrations | ||||
| Integrations management | create, edit, delete, trigger run | ✅ | ✅ | ❌ |
| Secrets management | read, create, edit, delete | ✅ | ❌ | ❌ |
| Glossary | ||||
| Terms | read | ✅ | ✅ | ✅ |
| Terms | create, edit, delete | ✅ | ✅ | ❌ |
| Settings | ||||
| Tags | read | ✅ | ✅ | ✅ |
| Tags | create, edit, delete | ✅ | ✅ | ❌ |
| Domains | read, create, edit, delete | ✅ | ❌ | ❌ |
| Users | read, create, edit, delete | ✅ | ❌ | ❌ |
| Access Tokens | read, create, delete | ✅ | ❌ | ❌ |
| SSO | read, create, edit, delete | ✅ | ❌ | ❌ |
| Alert Destinations | read, create, edit, delete | ✅ | ❌ | ❌ |
Domain Role
Domain roles define the type of access the user has to a given domain resource. By default, Sifflet offers two Domain Roles: Domain Editor and Domain Viewer.
| Domain resource | Action | Domain Editor | Domain Viewer |
|---|---|---|---|
| Catalog | |||
| Data assets | search through the catalog | ✅ | ✅ |
| Data assets | read | ✅ | ✅ |
| Data assets | data preview | ✅ | ❌ |
| Data assets | metadata edit (manual or through AI suggestions) | ✅ | ❌ |
| Monitors | |||
| Monitors | read (overview, runs details, parameters details) | ✅ | ✅ |
| Monitors | create, edit, delete, run | ✅ | ❌ |
| Monitors | show failing rows | ✅ | ❌ |
| Monitors | qualify runs for ML models feedbacks | ✅ | ❌ |
| Incidents | |||
| Incidents | assign, status update, close | ✅ | ❌ |
Multiple domain access
Users may be associated to multiple domains: for example, a user can be a Domain Viewer in Domain A and a Domain Editor in Domain B.
Token Roles
Access Tokens allow you to programmatically interact with Sifflet objects through the API, CLI and Airflow Operator.
By default, Sifflet offers three Token Roles: Admin, Editor, Viewer:
| Resource | Action | Admin | Editor | Viewer |
|---|---|---|---|---|
| Catalog | ||||
| Data assets | search through the catalog | ✅ | ✅ | ✅ |
| Data assets | read | ✅ | ✅ | ✅ |
| Data assets | data preview | ✅ | ✅ | ❌ |
| Data assets | metadata edit (manual or through AI suggestions) | ✅ | ✅ | ❌ |
| Monitors | ||||
| Monitor | read (overview, runs details, parameters details) | ✅ | ✅ | ❌ |
| Monitor | create, edit, delete, run | ✅ | ✅ | ❌ |
| Monitor | show failing rows | ✅ | ✅ | ❌ |
| Monitor | qualify runs for ML models feedbacks | ✅ | ✅ | ❌ |
| Incidents | ||||
| Incidents | assign, status update, close | ✅ | ✅ | ❌ |
| Glossary | ||||
| Terms | read | ✅ | ✅ | ✅ |
| Terms | create, edit, delete | ✅ | ✅ | ❌ |
| Integrations | ||||
| Secrets management | read, create, edit, delete | ✅ | ❌ | ❌ |
| Integrations management | create, edit, delete, trigger run | ✅ | ✅ | ❌ |
| Integrations management | Submit dbt metadata files and trigger the related datasource refresh | ✅ | ✅ | ❌ |
| Integrations management | Create declarative pipeline & edge lineage | ✅ | ❌ | ❌ |
| Settings | ||||
| Tags | read | ✅ | ✅ | ✅ |
| Tags | create, edit, delete | ✅ | ✅ | ❌ |
| Domains | read, create, edit, delete | ✅ | ❌ | ❌ |
| Users | read, create, edit, delete | ✅ | ❌ | ❌ |
| Access Token | read, create, delete | ✅ | ❌ | ❌ |
| SSO | read, create, edit, delete | ✅ | ❌ | ❌ |
| Alert Destinations | read, create, edit, delete | ✅ | ❌ | ❌ |
Important
Tokens use special Sifflet roles and are not domain-specific, granting access to all domains.
Updated 2 months ago