Permissions
Create granular permissions for CRUD operations on any API endpoint.
Overview
-
A permission grants or denies read and write operations and access on a specific entity.
-
An entity maps to an existing API endpoint in the Mage application.
-
A permission can grant or deny access to a specific entity with a specific UUID.
-
Each operation and attribute operation has an access level that denies access to a specific entity for that particular operation or attribute operation.
- When denying an attribute operation, define the set of attributes that the permission forbids the user from querying, reading, or writing.
Operations
List
List
This access level grants permission to perform a GET request
to the collections API endpoint for a specific entity.
Create
Create
This access level grants permission to perform a POST request
to an API endpoint for a specific entity.
Detail
Detail
This access level grants permission to perform a GET request
to the details API endpoint for a specific entity.
Update
Update
This access level grants permission to perform a PUT request
to an API endpoint for a specific entity.
Delete
Delete
This access level grants permission to perform a DELETE request
to an API endpoint for a specific entity.
All operations
All operations
This access level grants allows the following operations to be performed for a specific entity:
- List
- Create
- Detail
- Update
- Delete
Attribute operations
Query
Query
This access level grants permission to use a specific set of query parameters when making an API request for a given entity.
Read
Read
This access level grants permission to read a specific set of attributes from an API response for a specific entity.
Write
Write
This access level grants permission to write a specific set of attributes when submitting a payload in the API request body for a specific entity.
Query attributes
When granting Query access, you must define the set of query parameters this permission allows.
Read attributes
When granting Read access, you must define the set of attributes this permission
allows the user to read.
Write attributes
When granting Write access, you must define the set of attributes this permission
allows the user to write.
Groups
The following access levels contain logic that grants access to multiple operations and attribute operations.
The attribute operation that the group access grants still requires you to define the specific set of attributes that the user is permitted to query, read, or write.
Viewer
Viewer
This access level grants the following for a specific entity:
- Operations
- List
- Detail
- Attribute operations
- Read
Editor
Editor
This access level grants the following for a specific entity:
- Operations
- Everything from Viewer
- Create
- Update
- Delete
- Attribute operations
- Everything from Viewer
- Query
- Write
Admin
Admin
This access level grants the following for a specific entity:
- Operations
- Everything from Viewer
- Everything from Editor
- Attribute operations
- Everything from Viewer
- Everything from Editor
Owner
Owner
This access level grants the following for a specific entity:
- Operations
- Everything from Viewer
- Everything from Editor
- Everything from Admin
- Attribute operations
- Everything from Viewer
- Everything from Editor
- Everything from Admin
All
All
This access level grants every operation, attribute operation, all query attributes, all read attributes, and all write attributes for a specific entity.
Special conditions
Disable unless user has notebook edit access
Disable unless user has notebook edit access
This access level will deny the user from performing an operation or attribute operation on a specific entity unless the user has notebook edit access.
Disable unless user has pipeline edit access
Disable unless user has pipeline edit access
This access level will deny the user from performing an operation or attribute operation on a specific entity unless the user has pipeline edit access.
Disable unless user owns the current entity
Disable unless user owns the current entity
This access level will deny the user from performing an operation or attribute operation on a specific entity unless the user owns the current entity they are attempting to perform an action on.
The only entity this access level supports currently is the User entity.
Entity names
List of available entities
List of available entities
ALLALL_EXCEPT_RESERVEDAutocompleteItemBackfillBlockBlockLayoutItemBlockOutputBlockRunBlockTemplateChartClientPageClusterCustomTemplateDataProviderDatabaseEventMatcherEventRuleExtensionOptionFeatureFileFileContentFileVersionFolderGitBranchGitCustomBranchGitFileGlobalDataProductIntegrationDestinationIntegrationSourceIntegrationSourceStreamInteractionKernelLlmLogMonitorStatOauthOauthAccessTokenOauthApplicationOutputPageBlockLayoutPageComponentPermissionPipelinePipelineInteractionPipelineRunPipelineSchedulePipelineTriggerProjectPullRequestRoleRolePermissionSchedulerSearchResultSecretSessionSparkApplicationSparkEnvironmentSparkExecutorSparkJobSparkSqlSparkStageSparkStageAttemptSparkStageAttemptTaskSparkStageAttemptTaskSummarySparkThreadStatusSyncTagUserUserRoleVariableWidgetWorkspace
ALL
Using this entity for a permission will grant the operation or attribute operation for every entity listed above.
ALL_EXCEPT_RESERVED
Using this entity for a permission will grant the operation or attribute operation for every entity listed except the following entities:
OauthOauthAccessTokenOauthApplicationWorkspace