About user roles and access privileges

User roles and project roles

Studio roles are divided into Studio-wide user roles and project-specific roles. The user roles are Administrator, Power User, Restricted User, and User. These roles control access to Studio features in data sets, projects, and Studio administrative configuration. The project-specific roles are Project Author and Project Restricted User. These roles control access to project-specific configuration and project data. All Studio users have a user role, and they may also have project-specific roles that have been assigned to them individually or to any of their user groups.

Administrators can assign user roles. They also have Project Author access to all projects, which allows them to assign project roles as well.

Inherited roles

A Studio user might have a number of assigned roles. In addition to a user role, they may have a project-specific role and belong to a user group that grants additional roles. In these cases, the highest privileges apply to each area of Studio, regardless of if these privileges have been assigned directly or inherited from a user group.

User Roles

The user roles are as follows:

Role	Description
Administrator	Administrators have full access to all features in Studio. Administrators can: Access the Control Panel Create and delete data sets and projects Transform data within a project View, configure, and manage all projects
Power User	Power users can: Create and delete data sets and projects Transform data within a project Export data to HDFS and create new data sets View, configure, and manage projects for which they have a project role Edit their account information Power users cannot: Access the Control Panel
User	Users can: Create and delete data sets and projects Transform data within a project View, configure, and manage projects for which they have a project role Edit their account information Users cannot: Access the Control Panel Export data to HDFS
Restricted User	This is the default user role for new users. It has the most restricted privileges and is essentially a read-only role. This is the default user role for new users. Restricted users can: Create new projects View data sets in the Catalog View, configure, and manage projects for which they have a project role Restricted users cannot: Edit their account information Access the Control Panel Create new data sets Transform data within a project Export data to HDFS

Note: Power Users, Users, and Restricted Users have no project roles by default, but they can access any projects that grant roles to the All Big Data Discovery users group. They can also access projects for which they have a project role, outlined below.

Project Roles

Project roles grant access privileges to project content and configuration. You can assign project roles to individual users or to user groups, and they define access to a given project regardless of a user's user role in Big Data Discovery Studio. The roles are:

Role	Description
Project Author	Project authors can: Configure and manage a project Add or remove users and user groups Assign user and user group roles Transform project data Export project data Project authors cannot: Create new data sets Access the Big Data Discovery Control Panel
Project Restricted User	Project Restricted Users can: View a project and navigate through the configured pages Add and configure project pages and components Project restricted users cannot: Access Project Settings Create new data sets Transform data Export project data

Data set access levels

In addition to the global feature access and project level access controlled by user roles and project roles, some deployments may require access controls at the data set level. Since data sets are a fundamental component of Big Data Discovery, this requires granting or denying access to data sets on a case-by-case basis.

Note: You cannot set permissions to "Default Access" or "No Access" for individual users, only for user groups.

Access Level	Description
No Access (User Groups only)	The user group cannot access the data set. The data set does not show up for this user or group in the Catalog.
Default Access (User Groups only)	The user group has default access to the data set. The "default" access level is set via the `df.defaultAccessForDerivedDataSets` setting on the Studio Settings page in the Control Panel.
Read-only	Users with Read access to a data set can See the data set in search results or by browsing the Catalog Explore the data set Add the data set to a project and modify it within the project
Read/Write	In addition to Read permissions, users with Write access to a data set can Modify data set metadata such as description, searchable tags, and global attribute metadata Manage access to the data set

Users have No Access to any data set uploaded from a file by another user; only the file uploader and Studio Administrators have access, and both have the Read/Write permissions level.

As an example of using these access levels, you may wish to restrict default data set access "Read-only" and assign the "Default Access" level to all non-Administrative user groups. This gives all users the ability to add data sets to a project and modify them there. You can then create a "Data Curators" group that has Read/Write access to data sets in order to configure attribute metadata and data set details globally to make it easier for your users to navigate the Catalog. The group effectively becomes an additional level of permissions on top of whatever other access its users have.

Important: A user without any access to a data set can still explore the data they are a Project Restricted User or Project Author on a project that uses the data set. Project Authors can use the Transform operations to create a duplicate data set and gain access to the new data set. Similarly, a user with Read-only access to a data set can create a project using that data set and then execute transformations against the data if the default data set permissions include Write access. If you are working with sensitive information, consider this when assigning project roles and data set permissions.