To see all operations available on permissions:
okdata permissions -h
What are permissions¶
Permissions allow fine grained control over who can do what with which
resources in the dataplatform. We use
give the who/what/which parts, respectively, so a permission can be viewed as a
<user>, <scope>, <resource_name>
<user> is allowed to do
<resource_name>. For instance:
janedoe, okdata:dataset:read, okdata:dataset:my-dataset
Meaning that the user
janedoe is allowed to perform read operations on the
<user> part can be either a user ID (username), a team ID, which grants
the permission to every member of the given team, or a client ID, in case you’ve
been assigned a machine client user by the dataplatform team.
Scopes consist of three parts separated by colons: a namespace, a resource type, and the permission itself. Permissions currently only apply to datasets, though this might be extended in the future. For now, the available scopes are:
okdata:dataset:admin, allowing the user to modify the permissions for the given dataset.
okdata:dataset:read, allowing the user to see/download data from the given dataset.
okdata:dataset:update, allowing the user to change metadata for the given dataset, like its title and description.
okdata:dataset:write, allowing the user to write/upload new data to the given dataset.
Resource names also consist of three parts separated by colons: a namespace, a
resource type, and the resource ID itself. The only resource type currently
okdata:dataset, and the resource ID becomes the ID of the
The following command lists all permissions tied to the current user:
okdata permissions ls
To list all permissions for a specific resource, the following command is used:
okdata permissions ls <resource_name>
okdata permissions ls okdata:dataset:my-dataset
This will list every permission associated with the dataset
Granting and revoking permissions¶
The commands for granting and revoking permissions to and from users, are:
okdata permissions add <resource_name> <user> <scope> okdata permissions rm <resource_name> <user> [<scope>]
The format of
scope is explained in the previous
Here is an example where the user
janedoe is given read access to the dataset
okdata permissions add okdata:dataset:my-dataset janedoe okdata:dataset:read
And to revoke that same permission:
okdata permissions rm okdata:dataset:my-dataset janedoe okdata:dataset:read
scope parameter is optional for
rm. When omitted, all permissions for
the user on the given resource are revoked.
Both commands support additional
--client flags, which are used
when the given user ID belongs to a team or a machine user, instead of a person