Permission profiles
A permissions profile is a permission set. You can assign a permission profile to a resource, such as a datasource orchestrator.
Permission context#
If a Permission profile is assigned to a resource like a datasources orchestrator, all actions performed by the various steps of the orchestrator are in the permission context of the applied permission profile. The permission context of the user that creates or executes the orchestrator is not considered.
Permission profile assignment for orchestrators#
Users that assign a permission profile to an orchestrator must have ASSIGN permissions for that permission profile. Users can assign a permission profile to an orchestrator when the orchestrator is created or edited. If you edit an existing orchestrator to assign it a permissions profile, the orchestrator can execute in that permissions context in its next run and all other subsequent runs.
Permissions profile creation#
Permission profiles are created in the permission context of the user that creates it. The user that creates a permission profile must have permissions to create a permission profile in the given namespace and permissions to grant access as defined by the list of permissions in the permission profile being created.
For more information on creating a permission profile, see Permission profiles REST API.
Permission profile authentication flow#
The following diagram shows an example of the authentication flow for a permissions profile when a user creates and executes an orchestrator.
Note: Only trusted clients such as the File service, Data sources service and Item service can get an access token for a permissions profile.
| Callout | Description |
|---|---|
| 1 | A user with ASSIGN permissions sends a request to create an orchestrator with a permission profile id. |
| 1.1 | The orchestrator is created in the Datasources Service and assigned the permission profile id. |
| 1.2 | The Datasources Service sends an orchestrator response. |
| 2 | The user or a orchestrator schedule runs the orchestrator. |
| 2.1 | A token POST request sends from the Datasources Service to the Passport Service. |
| 2.2 | A token response sends from the Passport Service to the Datasources Service. |
| 2.3 | An orchestrator task in the Datasources Service requests to import a model in the Item Service with a permission profile access token. |
| 2.4 | The Item Service requests authorization on the token from the Passport Service. |
| 2.5 | The Passport Service authenticates the token and sends a response to the Item Service. |
| 2.6 | The Item Service sends a response to the Datasources Service with the requested data. |