Skip to main content
Policy Cover
Datazone’s policy system provides flexible, fine-grained access control through role-based permissions. Policies define what actions users can perform on resources, supporting both flat and hierarchical resource patterns with explicit allow/deny rules.

Key Features

  • Role-based: Policies are bound to roles, not individual users
  • Hierarchical: Support for project-scoped resources (e.g., project:<id>:dataset:*)
  • Explicit deny: Deny statements override allow statements
  • Extra constraints: Resource-specific restrictions (row-level security, column filtering, path prefixes)
  • Wildcard support: Use * for flexible matching across resources and actions
  • Branch-aware: Optional branch specification for version control
Policy Diagram

Policy Structure

Each policy consists of one or more statements that define access rules: 
{
  "resource": "<string>",
  "branch": "<string | null>",
  "actions": ["<string>"],
  "effect": "allow" | "deny",
  "extra_constraints": {
    "<string>": "<value>"
  }
}

Fields

FieldTypeDescription
resourcestringResource pattern (supports wildcards and hierarchical patterns)
branchstring | nullOptional branch name (defaults to main)
actionsarrayList of actions in <resource>:<action> format
effectenumEither "allow" or "deny"
extra_constraintsobjectResource-specific constraints (optional)

Resource Patterns

Resources follow a hierarchical pattern that supports various levels of specificity:

Flat Resources

PatternScopeDescription
*AllAll resources in the organization
datasetTypeDataset type (for creation permission)
dataset:*All instancesAll dataset instances
dataset:<id>SpecificA specific dataset by ID

Hierarchical Resources

Hierarchical patterns enable project-scoped permissions:
PatternScopeDescription
project:<id>:*All childrenAll entities within the project
project:<id>:dataset:*Typed childrenAll datasets within the project
project:<id>:dataset:<id>Specific childSpecific dataset within the project

Supported Resource Types

  • dataset - Data tables in the lakehouse
  • project - Project containers
  • view - Virtual views over datasets
  • schedule - Automated execution schedules
  • extract - Data ingestion jobs
  • compute - Compute resources
  • api_key - API authentication keys
  • user - User accounts
  • role - User roles
  • notebook - Interactive analysis notebooks
  • pipeline - Data transformation pipelines
  • endpoint - REST API endpoints
  • intelligent_app - Dashboard applications
  • variable - Environment variables

Actions

Actions follow the <resource>:<action> format and define what operations can be performed:

Action Patterns

  • dataset:read - Read access to datasets
  • dataset:write - Modify datasets
  • dataset:delete - Delete datasets
  • dataset:execute - Execute operations on datasets
  • dataset:manage - Full management access
  • dataset:create - Create new datasets
  • dataset:* - All dataset actions
  • *:read - Read access to all resources
  • *:* - All actions on all resources

Common Actions

ActionDescription
<resource>:readView the resource
<resource>:writeModify the resource
<resource>:deleteDelete the resource
<resource>:createCreate new instances
<resource>:executeExecute operations
<resource>:manageFull control (includes all above)
<resource>:*All actions for that resource

Exceptional Actions

  • project:read_repository - Read access to project code repository
  • endpoint:invoke - Permission to call an API endpoint

Policy Examples

Read-Only Access

Grant read access to all resources: 
{
  "name": "Read-Only Policy",
  "statements": [
    {
      "resource": "*",
      "actions": ["*:read"],
      "effect": "allow"
    }
  ]
}

Dataset Admin

Full control over all datasets: 
{
  "name": "Dataset Admin",
  "statements": [
    {
      "resource": "dataset",
      "actions": ["dataset:create"],
      "effect": "allow"
    },
    {
      "resource": "dataset:*",
      "actions": ["dataset:*"],
      "effect": "allow"
    }
  ]
}

Project Admin

Full control over a specific project and all its resources: 
{
  "name": "Project Admin",
  "statements": [
    {
      "resource": "project:66be5fc75158d037e9970c6d",
      "actions": ["project:*"],
      "effect": "allow"
    },
    {
      "resource": "project:66be5fc75158d037e9970c6d:*",
      "actions": ["*:*"],
      "effect": "allow"
    }
  ]
}
This allows the user to:
  • Manage the project itself (project:*)
  • Create and manage all child resources (datasets, notebooks, pipelines, etc.)

Restricted Access with Deny

Allow read access to all datasets except one specific dataset: 
{
  "name": "Restricted Read",
  "statements": [
    {
      "resource": "dataset:*",
      "actions": ["dataset:read"],
      "effect": "allow"
    },
    {
      "resource": "dataset:507f1f77bcf86cd799439011",
      "actions": ["dataset:read"],
      "effect": "deny"
    }
  ]
}
Deny statements always override allow statements, regardless of order.

Project-Scoped Dataset Access

Grant access to datasets within a specific project only: 
{
  "name": "Project Dataset Access",
  "statements": [
    {
      "resource": "project:66be5fc75158d037e9970c6d:dataset:*",
      "actions": ["dataset:read", "dataset:write"],
      "effect": "allow"
    }
  ]
}

Data Analyst Role

Typical permissions for a data analyst: 
{
  "name": "Data Analyst",
  "statements": [
    {
      "resource": "dataset:*",
      "actions": ["dataset:read"],
      "effect": "allow"
    },
    {
      "resource": "notebook",
      "actions": ["notebook:create"],
      "effect": "allow"
    },
    {
      "resource": "notebook:*",
      "actions": ["notebook:*"],
      "effect": "allow"
    },
    {
      "resource": "view:*",
      "actions": ["view:read"],
      "effect": "allow"
    }
  ]
}

Built-in Policies

Datazone provides several built-in policies for common use cases:

Admin Policy

Full access to all resources: 
{
  "resource": "*",
  "actions": ["*:*"],
  "effect": "allow"
}

Best Practices

Policy Design

  1. Start restrictive: Begin with minimal permissions and add as needed
  2. Use hierarchical patterns: Organize permissions by project for better management
  3. Leverage deny sparingly: Use deny for exceptions to broad allow rules
  4. Document policies: Add clear descriptions to explain policy intent

Role Assignment

  1. Bind to roles only: Policies are assigned to roles, not individual users
  2. Create role hierarchies: Use multiple roles for different permission levels (Viewer, Editor, Admin)
  3. Audit regularly: Review policy assignments periodically

Performance

  1. Cache aware: Policies are cached; changes may take a few seconds to propagate
  2. Granular resources: Use specific resource IDs when possible to reduce evaluation complexity
  3. Minimize deny statements: They require checking all policies

Security

  1. Principle of least privilege: Grant only necessary permissions
  2. Explicit denies: Use deny statements to override broad allows for sensitive resources
  3. Extra constraints: Apply row-level and column-level security for sensitive data
  4. Path restrictions: Use path_prefix constraints to sandbox project access

Validation Rules

Policies are validated automatically to ensure correctness:

Action Format

  • Must follow <resource>:<action> pattern
  • Both parts must be lowercase with underscores
  • Wildcards allowed: *:*, dataset:*, *:read
Valid:
  • dataset:read
  • project:*
  • *:*
Invalid:
  • dataset (missing action)
  • Dataset:Read (uppercase)
  • read (missing resource)

Resource Pattern

  • Must be valid resource type or wildcard
  • ObjectIds must be valid MongoDB ObjectIds
  • Hierarchical patterns must follow parent:<id>:child format
Valid:
  • dataset:*
  • project:507f1f77bcf86cd799439011
  • project:507f1f77bcf86cd799439011:dataset:*
Invalid:
  • dataset:invalid-id
  • project::dataset:*

Action-Resource Matching

Actions must match the resource type they’re applied to: 
{
  "resource": "dataset:*",
  "actions": ["dataset:read"],  // ✓ Valid
  "effect": "allow"
}

{
  "resource": "dataset:*",
  "actions": ["project:read"],  // ✗ Invalid - mismatched types
  "effect": "allow"
}
Exception: Wildcard actions (*:*) can be used on any resource.

Troubleshooting

Permission Denied Errors

If you encounter permission denied errors:
  1. Check user roles: Verify the user has the appropriate role assigned
  2. Review policy statements: Ensure the policy includes the required action and resource
  3. Look for deny statements: Check if an explicit deny is overriding an allow
  4. Verify resource IDs: Ensure you’re using the correct resource identifier
  5. Check cache: Wait a few seconds for policy changes to propagate

Hierarchical Permissions Not Working

If project-scoped permissions aren’t working:
  1. Verify pattern format: Use project:<id>:* not project:*:<id>
  2. Check parent context: Ensure the resource creation includes project reference
  3. Review cache: Hierarchical relationships are cached; wait 5 minutes or invalidate cache
  4. Validate ObjectIds: All IDs must be valid MongoDB ObjectIds

Performance Issues

If policy evaluation is slow:
  1. Reduce policy complexity: Simplify nested hierarchies
  2. Use specific resources: Prefer dataset:<id> over broad wildcards when possible
  3. Monitor cache health: Ensure Redis is functioning properly
  4. Check database queries: Hierarchical policies should use cache, not database

Roles

Learn about role management and user assignment

Authentication

Understand authentication and token management

API Keys

Generate and manage API keys for programmatic access

Projects

Organize resources within projects